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1.0 Introduction 

Under the guidance of processes provided by Crew Transportation Plan (CCT-PLN-1100), this 
document with its sister documents, Crew Transportation Technical Management Processes (CCT- 
PLN-1120), International Space Station (ISS) Crew Transportation and Services Requirements 
Document (CCT-REQ-l 130), Crew Transportation Operations Standards (CCT-STD-1 150), and ISS to 
Commercial Orbital Transportation Services Interface Requirements Document (SSP 50808), provide 
the basis for a National Aeronautics and Space Administration (NASA) certification for services to the 
ISS for the Commercial Provider. When NASA Crew Transportation System (CTS) certification is 
achieved for ISS transportation, the Commercial Provider will be eligible to provide services to and 
from the ISS during the services phase of the NASA Commercial Crew Program (CCP). 

1.1 Purpose 

In the course of over fifty years of human space flight, NASA has developed a working knowledge and 
body of standards that seek to guide both the design and the evaluation of safe designs for space 
systems. The purpose of this document is to inform potential Commercial Providers of the 
specifications, standards, and products/artifacts that NASA considers crucial to a successful 
development effort and to provide the Commercial Provider with NASA expectations, essentially the 
technical criteria, used in assessing these items to ensure they meet the intent of Sections 3.9 through 
3.12 of CCT-REQ-l 130. 

The evaluation of technical standard requirements that utilize the "meet the intent of" language are 
addressed in this volume and may be satisfied through the use of alternative standards instead of the 
NASA, military, or industry standard listed. For these alternative standards, this document will be 
utilized to define the evaluation criteria that the CCP will use to determine whether the proposed 
standard is acceptable. 

Discipline specific technical work products/artifacts (e.g., plans, analyses, reports, etc.) are also called 
out in this volume, along with the criteria that will be used to evaluate them. The intent is to identify 
products that NASA deems critical to the ultimate successful certification of a CTS. It is NASA’s 
expectation that any Commercial Provider’s successful development activities would already involve 
these products. It is not NASA’s intent to convey a request for formal deliverables by listing these items 
in the technical products section of this document. 

This document is organized by discipline, with each section containing the key products and technical 
assessments that will be used as a benchmark to determine acceptability of the Commercial Provider’s 
technical standards and products. 

Once the Commercial Provider and NASA have reached an agreement on an alternative technical 
standard, it will be added to the partnered set of standards for the CTS. Once this partnered set of 
standards is in place, it will be used in design evaluations in lieu of the standard called by CCT-REQ- 
1130. The content of this document will continue to be utilized as a reference for the types of products 
and analysis that are typically evaluated to establish technical adequacy for each discipline. 
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1.2 Scope 

This document includes the criteria, expectations, and insight criteria that will be used in the evaluation 
of technical standards for launch vehicle, spacecraft, and ground system requirements identified by the 
CCP and the ISS Program for the CTS. The CTS refers to all assets and services necessary to meet the 
requirements of CCT-REQ-1130, including pre-flight planning, trajectory and abort analysis, ground 
processing and manufacturing, ground operations, mission control, training, launch control, launch, on- 
orbit operations, post-landing recovery operations, safety and mission assurance, and all other functions 
required for safe and successful human space flight missions. When elements of the CTS are technical 
or specific to a requirement, they will be called out; for example, the term CTS spacecraft will be used 
when the launch vehicle and ground elements are not specific to that portion of the design. 

1.3 Precedence 

In the event of a conflict between the text of this document and references cited herein (listed in Section 
2.0), the text of this document takes precedence. The exception to this statement is for SSP 50808, 
which takes precedence during the arrival, docked, and departure operations. Nothing in this document 
supersedes applicable laws and regulations, unless a specific exemption has been obtained. 

1.4 Delegation of Authority 

This document was prepared by NASA’s CCP, and will be maintained in accordance with standards for 
CCP documentation. The CCP is responsible for assuring the definition, control, implementation, and 
verification of the requirements identified in this document. 
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2.0 Documents 

2.1 Requirements Applicability Matrix 

The table below indicates where in this document a discipline has documented the evaluation that will 
be performed of the Commercial Provider’s technical standard to determine if it meets the intent of the 
listed NASA or industry standard. This table also includes references to the appropriate section of CCT- 
REQ-1130 where that standard is specified. 


Document 

Number 

Revision 

Title and CCT-REQ-1130 
Requirement 

CCT-STD-1140 

Reference 

CCT-STD-1140 

Description 






ANSI/ESD S20.20 

Edition 

07 

For the Development of an 
Electronic Discharge Control 
Program for Protection of 
Electrical and Electronic 
Parts, Assemblies and 
Equipment (Excluding 
Electrically Initiated 
Explosive Devices) 
(R.CTS.286) 

7. 1.8.2 

7.2.2 

Avionics and 
Electrical 
Systems 
EEE Parts 
Management 

FAA AC 20-136B 

Rev. B 

Aircraft Electrical and 
Electronic System Lightning 
Protection (R.CTS.290) 

7. 1.7.2 

Avionics and 

Electrical 

Systems 

GEIA-STD-0005-1 

Baseline 

Performance Standard for 
Aerospace and High 
Performance Electronic 
Systems Containing Lead- 
Free Solder 
(R.CTS.277) 

7. 1.5.2 

Printed Wiring 
Boards Technical 
Assessment 

GEIA-STD-0005-2 

Baseline 

Standard for Mitigating the 
Effects of Tin Whiskers in 
Aerospace and High 
Performance Electronics 
(R.CTS.278) 

7.2.2 

EEE Parts 
Management 

IEC 61000-4-2 

Edition 

2.0 

Electromagnetic 
Compatibility (EMC) Testing 
and Measurement 
Techniques-Electrostatic 
Discharge Immunity Test for 
Human Body Model (HBM) 
Subassemblies, Assemblies 
and Equipment Discharge 
Levels 

(R.CTS.371) 

7.1.8 

Electrostatic 

Controls 
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Document 

Number 

Revision 

Title and CCT-REQ-1130 
Requirement 

CCT-STD-1140 

Reference 

CCT-STD-1140 

Description 

IPC J-STD-001E 

Rev. E 

Requirements for Soldered 
Electrical and Electronic 
Assemblies 

(R.CTS.275 and R.CTS.276) 

7. 1.5.2 

Avionics and 

Electrical 

Systems 

IPC J-STD-001ES 
Amendment 1 


Space Applications Electronic 
Hardware Addendum to J- 
STD-001E, Requirements for 
Soldered Electrical and 
Electronic Assemblies 
(R.CTS.275 and R.CTS.276) 

7. 1.5.2 

Avionics and 

Electrical 

Systems 

IPC-2152 

Baseline 

Standard for Determining 
Current Carrying Capacity in 
Printed Circuit Board Design 
(R.CTS.270) 

7. 1.5.2 

Avionics and 

Electrical 

Systems 

IPC -2220 Series 

2221: A 
2222: A 
2223: B 
2224: BL 
2225: BL 
2226: BL 

Family of Printed Board 
Design Documents 
(R.CTS.268) 

7. 1.5.2 

Avionics and 

Electrical 

Systems 

IPC-6010 Series 

6011: BL 
6012: C 
6013: B 
6015: BL 
6016: BL 
6017: BL 
6018: A 

Family of Printed Board 
Performance Documents 
(R.CTS.269) 

7. 1.5.2 

Avionics and 

Electrical 

Systems 

IPC-CM-770E 

Rev. E 
(1/1/04) 

Component Mounting 
Guidelines for Printed Boards 
(R.CTS.284) 

7. 1.5.2 

Avionics and 

Electrical 

Systems 

JSC 20793 

Rev. C 

Crewed Space Vehicle Battery 
Safety Requirements 
(R.CTS.282) 

7.1.4 

Avionics and 

Electrical 

Systems 

JSC 62809 

Rev. D 

Human-Rated Spacecraft 
Pyrotechnic Specification 
(R.CTS.294) 

7.1.3 

7.3.2 

Interconnecting 
Cable and 
Harnesses 
Pyrotechnics 

JSC 65827 

A 

Thermal Protection System 
Design Standard for 
Spacecraft 
(R.CTS.293) 

7.4.3. 1 

Thermal 

Protection 

Systems 
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Document 

Number 

Revision 

Title and CCT-REQ-1130 
Requirement 

CCT-STD-1140 

Reference 

CCT-STD-1140 

Description 

JSC 65828 

Rev. B-l 

Structural Design 
Requirements and Factors of 
Safety for Spaceflight 
Hardware 
(R.CTS.295) 

7.4.3. 1 

7.4.1 

7.5.2 

7.6.2 

Thermal 

Protection 

Systems 

Structures 

Fluid Systems 

Propulsion 

Systems 

JSC 65829 

A 

Loads and Structural 
Dynamics Requirements for 
Spaceflight Hardware 
(R.CTS.297) 

5.2.2 

5.3.1 

5.3.2 

7.5.2 

7.6.2 

Structural 

Dynamics 

Int. Vehicle 

Dynamics 

Fluid Systems 

Propulsion 

Systems 

JSC 65985 

Rev. A 

Requirements for Human 
Spaceflight for the Trailing 
Deployable Aerodynamic 
Decelerator (TDAD) 
(R.CTS.291) 

7.7.2 

Trailing 

Deployable 

Aerodynamic 

Decelerator 

MIL-STD-461 

Rev. F 

Requirements for the Control 
of El ectromagn etic 
Interference Characteristics 
of Subsystems and Equipment 
(R.CTS.287) 

7. 1.6.2 

Avionics and 

Electrical 

Systems 

MIL-STD-464 

Rev. C 

Electromagnetic 
Environmental Effects 
Requirements for Systems 
(R.CTS.288) 

7. 1.6.2 

Avionics and 

Electrical 

Systems 

MIL-STD-981 

Rev. C 

Design, Manufacturing and 
Quality Standards for Custom 
Electromagnetic Devices for 
Space Applications 
(R.CTS.289) 

7. 1.6.2 

Avionics and 

Electrical 

Systems 

MSFC-DWG- 

20M02540 

E 

(1/15/92) 

Assessment of Flexible Lines 
for Flow-Induced Vibration 
(R.CTS.303) 

7.5.3 

Fluid Systems 

MSFC-SPEC-626 

Basic 

(5/11/90) 

Test Control Document for 
Assessment of Flexible Lines 
for Flow Induced Vibration 
(V.CTS.303) 

7.5.3 

Fluid Systems 

NASA-STD-4003A 

A 

Electrical Bonding For NASA 
Launch Vehicles, Spacecraft, 
Payloads, and Flight 
Equipment 
(R.CTS.281) 

7. 1.9.1 

Avionics and 

Electrical 

Systems 
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Document 

Number 

Revision 

Title and CCT-REQ-1130 
Requirement 

CCT-STD-1140 

Reference 

CCT-STD-1140 

Description 

NASA-STD-4005 

Baseline 

Low Earth Orbit Spacecraft 
Charging Design Standard 
(R.CTS.285) 

7.1.10 

Avionics and 

Electrical 

Systems 

NASA-STD-5012 

Baseline 

Strength and Life Assessment 
Requirements for Liquid 
Fueled Space Propulsion 
System Engines 
(R.CTS.304) 

7.4 

7.6.2 

Structures 

Propulsion 

Systems 

NASA-STD-5017 

Baseline 

Design and Development 
Requirements for Mechanisms 
(R.CTS.292) 

7.3 

7.5.2 

Mechanisms 
Fluid Systems 

NASA-STD-5018 

Baseline 

Strength Design and 
Verification Criteria for 
Glass, Ceramics, and 
Windows in Human 
Spaceflight Applications 
(R.CTS.296) 

7.4 

Structures 

NASA-STD-5019 

Baseline 

Fracture Control 
Requirements for Space 
Flight 

(R.CTS.307) 

7.4 

7.5.2 

7.6.2 
8.1 

Structures 
Fluid Systems 
Propulsion 
Systems 

Fracture Control 

NASA-STD-5020 

BL 

(3/12/12) 

Requirements for Threaded 
Fastening Systems in 
Spaceflight Hardware 
(R.CTS.298) 

7.4 

Structures 

NASA-STD-6016 

Baseline 

Standard Materials and 
Processes Requirements 
for Spacecraft 
(R.CTS.260) 

7.4.4 

7.5.1 

7.6.2 

8.2 

Structures 

Fluids 

Propulsion 

TDAD 

Materials and 

Processes 

NASA-STD-7009 


Standard for Models and 
Simulations 

5.1.1 

5.2.3 

9.1.3 

Models and 
Simulations 
Structures 
Software 

NASA-STD-8739.1 

Rev. A, 
change 2 

Workmanship Standard for 
Polymeric Application on 
Electronic Assemblies 
Wiring Boards and Electronic 
Assemblies 

(R.CTS.274 and R.CTS.283) 

7. 1.5.2 

Avionics and 

Electrical 

Systems 
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Document 

Revision 

Title and CCT-REQ-1130 

CCT-STD-1140 

CCT-STD-1140 

Number 


Requirement 

Reference 

Description 

NASA-STD-8739.4 

Rev. R, 

Crimping, Interconnecting 

7.1.3 

Avionics and 


change 6 

Cables, Harnesses, and 


Electrical 



Wiring 

(R.CTS.313 and R.CTS.279) 


Systems 

NASA-STD-8739.5 

Rev. R, 

Fiber Optic Terminations, 

7.1.3 

Avionics and 


change 2 

Cable Assemblies, and 


Electrical 



Installation 

(R.CTS.273) 


Systems 

NPR 7150.2A 

Rev. A 

NASA Software Engineering 

9.1 

Flight and 


(11/19/09 

) 

Requirements 

(R.CTS.262) 


Ground Software 

SAE ARP 5412A 

Rev. A 

Aircraft Lightning 

7. 1.7.2 

Avionics and 



Environment and Related Test 


Electrical 



Waveforms 

(R.CTS.290) 


Systems 

SAE ARP 5414A 

Rev. A 

Aircraft Lightning Zoning 

7. 1.7.2 

Avionics and 



(R.CTS.290) 


Electrical 

Systems 

SAE ARP 5577 

Basic 

Aircraft Lightning Direct 

7. 1.7.2 

Avionics and 



Effects Certification 
(R.CTS.290) 


Electrical 

Systems 

SMC Standard 


Test Requirements for 

5.6.2 

Thermal Control 

SMC-S-016 (2008) 


Launch, Upper-Stage, and 
Space Vehicles 

7.1.2 

7.3. 1.2 

Analysis 

Avionics 



(R.CTS.315) 

7.5.2 

Mechanisms 




7.6.2 

Fluid Systems 

Propulsion 

Systems 

SMC Standard 

Baseline 

Space and Missile Systems 

7.2.1 

EEE Parts 

SMC-S-010 


Center Standard, Parts, 
Matericds, and Processes 
Technical Requirements for 
Space and Launch Vehicles 
(R.CTS.319) 


Management 
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2.2 Reference Documents 

This section provides a list of technical and manufacturing standards that can be used as references 
during the launch vehicle, spacecraft, and ground system design activities. These references are not part 
of the formal requirements levied via CCT-REQ-1 130. 


Document 

Revision 

Title 

15 CFR Part 287 


Guidance on Federal Conformity Assessment 

AE9/AP9 


Trapped Energetic Electron and Proton Environments 
(NSSDC/SDC-A-R&S 76-06 and NSSDC WDC-A-R&S 91-24) 

AFFDL-TR-72-3 


Ringsail Parachute Design (Ewing) 

AFSCMAN 91-710 


Air Force Space Command Range Safety User Requirements 

AGARDograph 
No. 319 


Design and Testing of High-Performance Parachutes 

AGARDograph 
No. 295 


The Aerodynamics of Parachutes 

AIAA S-lll-2005 


Qualification and Quality Requirements for Space Solar Cells 

AIAA S-l 12-2005 


Qualification and Quality Requirements for Space Solar Panels 

ANSI/AIAA S- 
102.2.4-2009 


Performance Based Product Failure Mode, Effects, and Criticality 
(FMECA) Requirements 

ANSI C63.16 


American National Standard Guide for Electrostatic Discharge Test 
Methodologies and Criteria for Electronic Equipment 

ARM-10 


Apollo Technical Manual - Reliability 

AS5553 


Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and 
Disposition 

AS9003 


Inspection and Test Quality System 

ASD-TR-61-579 


Performance of and Design Criteria for Deployable Aero 
Decelerators 

ASME Boiler and 
Pressure Vessel 
Code, Sections 
VIII Divisions 1, 2, 
and 3 



ASME Y 14.5-2009 


Dimensioning and Tolerancing 

ASTM D6193 


Standard Practice for Stitches and Seams 

ASTM E1066-95 


Standard Test Method for Ammonia Colorimetric Leak Testing 

ASTM Manual 36 


Safe Use of Oxygen and Oxygen Systems: Guidelines for Oxygen 
System Design, Materials Selection, Operations, Storage, and 
Transportation 

AWS D1/D1.1M 


Structured Welding Code-Steel 

AWS D1.2/D1.2M 


Structural Welding Code-Aluminum 

CPIA Publication 
655 (1997-01) 


Guidelines for Combustion Stability Specifications and Verification 
Procedures for Liquid Propellant Rocket Engines 

CREME96 


Cosmic Ray Effects on Microelectronics, single event upset 
environments. Do not use for electrons. 

CxP 70038 


Constellation Program Hazard Analyses Methodology 
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Document 

Revision 

Title 

CxP 70043 


Constellation Program Hardware Failure Modes and Effects 
Analysis and Critical Items List (FMEAJCIL) Methodology 

DNA-TR-84-140 


Satellite Hardness and Survivability; Testing Rationale for Electronic 
Upset and Burnout Effects 

DOD-STD-2167A 


Defense Systems Software Development 

DOT/FAA/AR- 

MMPDS-01 


Metallic Materials Properties Development and Standardization 

E. Normand & 
T.J. Baker, 1993 


“Altitude and Latitude Variations in Avionics SEU and Atmospheric 
Neutron Flux ” 

IEEE Transactions On Nuclear Science, Vol. 40, No. 6, December 
1993 

Edwards, 
Normand & Dyer, 
2004 


“Technical Standard for Atmospheric Radiation Single Event 
Effects, (SEE) on Avionics Electronics ” 

0-7803 -8697-3/04/$20.00 ©2004 IEEE 

Earth-GRAM 

2010 


Global Reference Atmosphere Model (available from EV44, MSFC) 

EIA/IEEE J-STD- 
016-1995 


Standard for Information Technology Software Life-Cycle Processes 
Software Development Acquirer-Supplier Agreement 

Emission of Solar 
Protons 


Solar proton event, galactic cosmic ray environments, geomagnetic 
shielding 

FED-STD-209E 


Clean Room and Work Station Requirements, Controlled 
Environments 

GER-12616 


State-of-the-Art Study for High-speed Deceleration and Stabilization 
Devices 

GIDEP S0300-BT- 
PRO-010 


Government-Industry Data Exchange (GIDEP) Operations Manual 

GIDEP S0300-BU- 
GYD-010 


Government-Industry Data Exchange (GIDEP) Requirements Guide 

GSFC-STD-1000 


Goddard Space Flight Center Rules for the Design, Development, 
Verification, and Operation of Flight Systems 

IEEE 730-2002 


Institute of Electrical and Electronic Engineers (IEEE) Standard for 
Software Quality Assurance Plans 

IEEE STD C62.38 


IEEE Guide on ESD: ESD Withstand Capability Evaluation Methods 
(for Electronic Equipment Subassemblies) 

IEST-STD- 

CC1246D 


Product Cleanliness Levels and Contamination Control 

International 

Geomagnetic 


Terrestrial magnetic field Reference Field 

International 

Reference 

Ionosphere 


Cold low Earth orbit plasma environments Ionosphere 

ISO 14644 


Cleanroom Standards 

ISO 9001 


Quality Management Systems Requirements 

Jacchia-Bowman 

2008 

Thermosphere drag (Available within Earth-GRAM 2010) 

JPR 8080.5 


JSC Design and Procedurcd Standards 
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Document 

Revision 

Title 

JSC 25863B 


Fracture Control Plan for JSC Space-Flight Hardware 

JSC EA3-10-015 


Deployable Aerodynamic Decelerator Requirements for Human 
Space Flight (3.9.9) 

JSSG-2010-12 


Crew Systems Deployable Aerodynamic Decelerator (DAD) Systems 
Handbook 

King 1972 SPE 
Model 


Crew Dose for Exposure to Solar Particle Event, Not Recommended 
for Avionics Applications 

(Journal of Spacecraft and Rockets, 11, 401, 1974) 

KSC-DE-512-SM 


Facility, System, and Equipment General Design Requirements 

KSC-NE-9439 


KSC Design Engineering Handbook for Design and Development of 
Ground Systems 

KSC-STD-Z-0006 


Standard for Design of Hypergolic Propellants Ground Support 
Equipment 

MEM 


Meteoroid Engineering Model (available from EV44, MSFC) 

MIL-A-83577B 


Assemblies, Moving Mechanical, For Space and Launch Vehicles, 
General Specification for 

MIL-C-5541 


Chemical Conversion Coatings on Aluminum and Aluminum Alloys 

MIL-DTL-38999 

Rev. L 

General Specification for Connectors, Electrical, Circular, 
Miniature, High Density, Quick Disconnect (Bayonet, Threaded, and 
Breech Coupling), Environment Resistant, Removable Crimp and 
Hermetic Solder Contacts 

MIL-H-7195 


General Specification for Parachute Hardware 

MIL-HDBK-17/1 


Composite Materials Handbook 

MIL-HDBK-340A 


Volume II Test Requirements for Launch, Upper Stage and Space 
Vehicles: Application Guidelines 

MIL-HDBK-5H 


Metallic Materials and Elements for Aerospace Vehicle Structures 

MIL-HDBK-83578 


Criteria for Explosive Systems and Devices Used on Space Vehicles 

MIL-PRF-27401C 


Propellant Pressurizing Agent, Nitrogen 

MIL-STD-1246C 


Product Cleanliness Levels and Contamination Control Program 

MIL-STD-129 


Marking for Shipment and Storage 

MIL-STD-1522A 


Standard General Requirements for Safe Design and Operation of 
Pressurized Missile and Space Systems 

MIL-STD-1546 


Parts, Materials, and Process Program Requirements 

MIL-STD-1576 


Electroexplosive Device Test Methods 

MIL-STD-1833 


Test Requirements for Ground Equipment and Associated Computer 
Software Supporting Space Vehicles 

MIL-STD-1472 

Rev. G 

Department of Defense Design Criteria Standard Human 
Engineering 

MIL-STD-810G 


Environmental Test Methods and Engineering Guidelines 

MIL-STD-882 


Standard Practice for System Safety 

MIL-STD-1553 


Military Standard: Aircraft Internal Time Division 
Command/Response Multiplex Data Bus 

MSFC-HDBK-505 

Rev. B 

Structured Strength Program Requirements 
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Document 

Revision 

Title 

MSFC-SPEC-164 

Rev. C 

Specification for Cleanliness of Components for Use in Oxygen, Fuel 
and Pneumatic Systems 

MSFC-STD-156 


Standard for Riveting, Fabrication, and Inspection 

MSFC-STD-481 


Standard Radiographic Inspection and Acceptance Standards for 
Fusion-Welded Joints in Stainless and Heat-Resistant Steel 

MSFC-STD-3012 


EEE Parts Management and Control for MSFC Space Flight 
Hardware 

MSFC-STD-3535 

Baseline 

Standard for Propellants and Pressurants Used for Test and Test 
Support Activities at SSC and MSFC 

MSIS-86 


Atomic oxygen ( Available within GRAM 2010) 

MVWP 


Monthly Vector Wind Model (See NASA/TM 2008-215633) 

NASA TN D-5968 


An Investigation of the Initial Century Series Ringsail Parachute 

NASA-CR-131200 


Apollo Parachute Landing System ( Knacke ) 

NASA-HDBK- 

7005 


Dynamic Environmental Criteria 

NASA-HDBK- 

5010 

Baseline 

Fracture Control Implementation Handbook for Payloads, 
Experiments, and Similar Hardware 

NASA SP-106 


The Dynamic Behavior of Liquids 

NASA SP-8057 

Revised 

1972 

Structural Design Criteria Applicable to a Space Shuttle 

NASA SP-8060 


Compartment Venting, NASA Space Vehicle Design Criteria 

NASA-STD-2202- 

93 


Software Formal Inspections Standard 

NASA-STD-3001 

Volume 1 

NASA Space Flight Human System Standard Volume 1: Crew Health 

NASA-STD-3001 

Volume 2 

NASA Space Flight Human System Standard Volume 2: Human 
Factors, Habitability, and Environmental Health 

NASA-STD-5001 

Rev. A 

Structural Design and Test Factors of Safety for Spacecraft 
Hardware 

NASA-STD-5002 


Load Analyses of Spacecraft and Payloads 

NASA-STD-7009 


Standard for Models and Simulations 

NASA-STD-8719.9 


Standard for Lifting Devices and Equipment 

NASA/TM-2001- 

211221 


Guidelines for the Selection of Near-Earth Thermal Environment 
Parameters for Spacecraft Design. 

NASA-TM-2008- 

215106 


GN&C Engineering Best Practices for Human-Rated Spacecraft 
Systems 

NASA/TM-2008- 

215633 


Terrestrial Environment (Climatic) Criteria Guidelines for Use in 
Aerospace Vehicle Development 

NASA-TM-X- 

74335 


U.S. Standard Atmosphere, 1976 

NASA/SP-2010- 

3407 

Baseline 

Human Integration Design Handbook 

NESC-RP-06- 

108/05-173-E 


Design, Development Test and Evaluation (DDT&E) Considerations 
for Safe and Reliable Human-Rated Spacecraft Systems 
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Document 

Revision 

Title 

No Number 


NASA Fault Tree Handbook with Aerospace Applications, 
Version 1.1, dated August 2002 

NPD 8700.1 

Rev. E 

NASA Policy for Safety and Mission Success 

NPD 8700.3 

Rev. B 

Safety and Mission Assurance (S&MA) Policy for NASA Spacecraft, 
Instruments, and Launch Sendees 

NPD 8720.1 

Rev. C 

NASA Reliability and Maintainability ( R&M ) Program Policy 

NPD 8730.1 

Rev. C 

Metrology and Calibration 

NPR 2810.1A 

Rev. A 

Security of Information Technology 

NPR 6000.1 


Requirements for Packaging, Handling, and Transportation for 
Aeronautical and Space Systems, Equipment and Associated 
Components 

NPR 7120.5 

Rev. D 

NASA Space Flight Program and Project Management Requirements 

NPR 7123.1 

Rev. A 

NASA Systems Engineering Processes and Requirements 

NPR 8705.2B 

Rev. B 

NASA Human-Rating Requirements for Space Systems 

NPR 8715.3 

Rev. C 

NASA General Safety Program Requirements 

NPR 8735.1 

Rev. B 

Procedures for Exchanging Parts, Materials, and Safety Problem 
Data Utilizing the Government-Industry Data Exchange Program 
( GIDEP) and NASA Advisories 

NPR 8735.2 


Management of Government Safety and Mission Assurance 
Surveillance Functions for NASA Contracts 

NWC TP 6575 


Parachute Recovery Systems Design Manual 

O ’Neill-Badhwar 
GCR Model 

2006 

O ’Neill, P.M., Badhwar - O ’Neill Galactic Cosmic Ray Model 
Update Based on Advanced Composition Explorer (ACE) Energy 
Spectra from 1997 to Present, Advances in Space Research, Vol 37, 
pp 1727-1733, 2006 

ORDEM 3.0 


Orbital Debris Engineering Model from the JSC Orbital Debris 
Program Office 

RTCA DO-160E 

Rev. E 

Environmental Conditions and Test Procedures for Airborne 
Equipment (Sections 22 and 23) 

SAE ARP 4761 


Guidelines and Methods for Conducting the Safety Assessment 
Process on Civil Airborne Systems and Equipment 

SAE ARP 5416 


Aircraft Lightning Test Methods 

SAE-AS-1098 

Rev. B 

Fitting End, Flared Tube, for Seal Ring, Standard Dimensions for, 
Design Standard 

SAE-AS-5440 

Rev. A 

Hydraulic Systems, Military Aircraft, Design and Installation 
Requirements for 

Solar Irradiance 
Platform 


UV-EUV 

SSP 30558 


Fracture Control Requirements for Space Station 

SWRI Publication 
by Dodge 

2000 

The New Dynamic Behavior of Liquids in Moving Containers 
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3.0 Background 

This document has been divided into several disciplines that are traditionally part of every human-rated 
space flight program. Each discipline section outlines the products and processes that are typically part 
of, and critical to, the success of a highly complex space transportation system. The products and 
processes generally focus on ensuring that a comprehensive approach is taken that is consistent with the 
safety requirements of a human-rated system. 

Each section starts with a general narrative and has three subsections as defined below: 

Technical Products 

A description of discipline specific artifacts that typically support the development effort and are used to 
substantiate the adequacy of required Commercial Provider standards called out in Section 3.9 of CCT- 
REQ-1 130 and/or are considered a crucial product in the review of the Commercial Provider’s 
development effort. Acceptable governing standards and processes should call for the creation of these 
products in some form by the Commercial Provider. The Commercial Provider may use internal 
processes, formats, standards, and specifications for the development of these products. 

There are several technical products that will be reviewed by most of the disciplines, systems, and 
subsystems for substantiating the standards and processes used for designing, developing, and certifying 
the CTS. Examples of such artifacts are listed below. This list is not meant to be a formal list of 
deliverables, but is meant to convey to the Commercial Provider the typical artifacts that should be 
reviewed to evaluate proposed Commercial Provider designs, standards, and processes. 

• Development testing results (components, subsystem, system-level) 

• Design certification/qualification test results (components, subsystem, system-level) 

• Design certification/qualification review data package (components, subsystem, system-level) 

• Acceptance criteria and procedure (system, subsystem, and component) 

• Critical design review data packages 

• Failure modes and effects analysis (FMEA) results 

• Reliability predictions and basis for predictions documentation 

• Hardware specifications (components, subsystem, system-level) 

• Interface control documentation 

• Drawings or equivalent solid models 

• System connectivity and functional schematics 

• Structural and fatigue analysis reports 

• Material properties 

• Materials acceptance/process control plan 

• Avionics functional decomposition (components, subsystem, system-level) 

• Sensors/instrumentation specification and function 

• Software testing and verification results 

• Engineering change proposals process, material discrepancy report system, and non-conformance 
reporting (components, subsystem, system-level) 

• Hardware acceptance test criteria (components, subsystem, system-level) 
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Technical Assessment 

This section has a description of the technical criteria that will be used in assessing the adequacy of the 
Commercial Provider’s standards and reflects NASA’s areas of emphasis in reviewing the Commercial 
Provider’s design. This section will describe areas of emphasis from relevant NASA and industry 
standards for determining if the Commercial Provider’s proposed design standards meet the intent of the 
design standards required by Section 3.9 of CCT-REQ-1130. 

This section may also describe the insight criteria that will be used to evaluate the adequacy of the 
Commercial Provider’s design, beginning with the evaluation of the Commercial Provider’s standards 
and processes. 

References (Optional) 

This section has a discipline specific list of relevant NASA and industry specifications, standards, and 
processes that NASA currently uses to design, develop, and certify human space flight programs. 
Discipline sections may include this information in order to provide the Commercial Provider a 
complete listing of all available technical standards that may be used for design, development, test, and 
evaluation of a CTS. The Commercial Provider does not need to meet the intent of these standards 
unless they are specified as such in CCT-REQ-1130 and Table 2.1 of this document. 
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4.0 Safety and Mission Assurance 

Safety and Mission Assurance (S&MA) encompasses the traditional disciplines of safety, reliability, 
maintainability, and quality assurance. This section provides guidance on the S&MA processes outlined 
in CCT-PLN-1 100 and the requirements contained in CCT-REQ-1 130. Human certification relies 
heavily on the technical activities and products described in the following S&MA sections and in CCT- 
PLN-1 120. Other sections of this document, such as design, test, production, and workmanship 
standards, are also of interest by S&MA, but are handled by other technical management. The following 
sections describe the CCP approach to the evaluation of the technical standards called in CCT-REQ- 
1130 for S&MA. 

4.1 Safety Standard for Explosives, Propellants, and Pyrotechnics 

4.1.1 Safety Standard for Explosives, Propellants, and Pyrotechnics Technical Assessment 

An Explosive Safety Plan should summarize the approach, for vehicle, launch site, and any other 
locations where NASA personnel are operating. The Explosive Safety Plan should address: 

• Operational explosives limits. 

• Personnel limits. 

• Limit control. 

• Identification of live and inert hardware. 

• Security and training. 

• Operating procedures. 

• Explosion hazards and exposure risk management. 

4.2 Safe Use of Laser Diode and LED Sources 

4.2.1 Safe Use of Optical Fiber Communication Systems Utilizing Laser Diode and LED Sources 
Technical Products 

An Optical Fiber and Laser Fiode Utilization Plan should guide the design and use of these devices and 
should include, at a minimum: 

• A listing of all laser devices used during planned ground and flight operations where NASA 
personnel will be potentially exposed to laser sources. 

• The laser specification (e.g., wavelength, power output for nominal and worst case failure 
scenario, etc.). 

• Operational procedures, including hazard controls. 

4.2.2 Reserved 
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5.0 Integrated Analysis 

All integrated analyses should include the following important attributes. Documentation should 
demonstrate that these elements have been captured. 

• All vehicle and environmental models use, address, and sufficiently account for uncertainties 
inherent in modeling and environment characterization. 

• Interactions and relationships between subsystems are identified and defined. 

• The operations team for the vehicle/mission is involved with the design teams from the earliest 
design phases to provide input to the design teams and to understand design decisions made. 

• The coordinate frames and the system of units (and associated conversion factors) that are to be 
employed are documented and compliance is rigorously enforced. 

• An integrated vehicle analysis that accounts for subsystem interactions and overall mission design. 

5.1 Models and Simulations 

Many of the system sections of this document identify specific subsets of the products and technical 
assessments expected for modeling and simulation. Although these subsets are of especial interest to the 
specific system, it is noted that the modeling and simulation products and technical assessments 
identified in this section are expected for all applicable models and simulations (M&S), regardless of if 
they are specifically identified under those system sections. 

Documentation related to any models or simulations whose analysis results are used to make critical 
decisions regarding design, development, manufacturing, and ground or flight operations that may 
impact human safety or Program-defined mission success criteria will be reviewed. Of particular 
interest are the methods and procedures used a) for determining (through risk assessments) which 
software models and simulations influence critical decisions and b) for assessing and communicating the 
credibility of model/simulation analysis results based on factors such as verification, validation, input 
pedigree, results uncertainty quantification, results robustness, use history, qualifications of applicable 
personnel, and M&S management. 

At a minimum, it is expected that all M&S used for making critical decisions are identified. In addition, 
for those M&S that are used to make critical decisions, it is expected that the credibility assessment 
factors identified in the previous paragraph be communicated in conjunction with the specific results 
provided from those M&S. Specific M&S analysis results include the following: 

• Results estimate (based on an appropriately verified and validated model with input data of 
appropriate pedigree). 

• Quantitative statement of uncertainty in the results (results uncertainty quantification). 

• Caveats that accompany the results, e.g., errors, warnings, etc. (results robustness, use history, 
personnel qualifications, and/or M&S management issues). 

• An understanding of the associated risks (results of risk assessments). 

Appendix C provides examples of how M&S used for making critical decisions can be identified, along 
with an example method for communicating the key credibility and risk assessment factors to the people 
making decisions influenced by the analysis results produced by these M&S. 
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5.1.1 Models and Simulations References 


Document Number 

Revision 

Title 

NASA-STD-7009 


Standard for Models and Simulations 


5.2 Structural Dynamics Analysis, Loads, and Models 

The purpose of analyses performed to predict loads and structural dynamic responses is to evaluate 
events which occur over the course of a vehicle's mission profile and ensure that bounding design 
conditions are defined. Design-to loading conditions must be identified with sufficient accuracy and 
statistical likelihood to preclude structural failure over the vehicle design and operational life-cycle. 

Key to this effort are the fidelity of the characterizations of the environments and loading sources to 
which a structure will be exposed and of models used for prediction of dynamic responses over the 
entire spectrum of excitation frequencies. 

5.2.1 Structural Dynamics Analysis, Loads, and Models Technical Products 

Products to substantiate adequacy of loads and dynamic response predictions typically include both 
models and analysis reports. These reports should document analyses (e.g., loads, vibration, 
vibroacoustic, etc.) conducted on the vehicle, including its systems, subsystems, and components, to 
generate data used to calculate stresses and/or to identify operational limits and restrictions. Analysis 
documentation/reports should include assumptions, boundary conditions, applied environments (natural 
and induced), and forcing functions for response analyses, rationale, models, and appropriate results. 
Appropriate results include all significant loads encountered during vehicle service life, from 
manufacturing to the end of service, and vibroacoustic environments to be used for range safety, 
transportation, hardware qualification, and workmanship screening. Additional products, including 
failsafe flight data (i.e., black box or telemetry) and system models, will be required for reconstruction 
following major anomalies, failures, or aborts. 

Analysis reports should also include documentation of all math models used for loads and dynamic 
response analyses. Model verification and validation with standard methods, including use of multiple 
independent models, should be well documented with the model validation data accessible and traceable 
to the appropriate model. Model descriptions should indicate pertinent modeling parameters, model 
display, material properties used, and type of model. A full description of the tests to be used, or which 
have been used, to validate the models is expected as part of the Structural Verification Plan (SVP). 

5.2.2 Structural Dynamics Analyses, Loads, and Models Technical Assessment 

NASA has a strong expectation that any alternate standard for structural dynamics analysis, loads 
development, and models would include, at minimum: 

• Performance of a minimum of two load cycles, including a preliminary design cycle and a 
verification analysis cycle. 

• Use of validated models in the verification analysis cycle. 

• Use of validated environments and forcing functions in the verification analysis cycle. 

• Documentation of all models, environments, and forcing functions developed for assessment of all 
mission phases and all associated output requests, load indicators, load indicator redlines, and 
output transformation matrices. 
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Review of the structural dynamic analyses, loads, and models will determine if a standard meets the 
intent of JSC 65829, Loads and Structural Dynamics Requirements for Space Flight Hardware. Review 
will place specific emphasis on: 

• Model validation. 

• Dynamic event selection and associated forcing function development. 

• Treatment of combination of effects of simultaneous or event-consistent load sources. 

• Treatment of combination of effects of quasi-static, low-frequency transient, and random loading 
environments. 

• Vehicle natural and induced environments used in dynamic response prediction. 

• Validation of induced environments used in dynamic response prediction. 

• Expected sources of data for anomaly/failure investigation and resolution. 

• Engine margin validation. 

Specific goals of this review are to: 

• Verify that the process/approach used to model the dynamics, including frequencies, modes, and 
damping, is complete, accurate, and incorporates appropriate uncertainty factors. 

• Verify predicted responses for critical mission events via NASA Independent Verification and 
Validation (IV &V) coupled loads analysis using contractor models and forcing functions. 

• Validate that frequencies and modes of the dynamic models are traceable to ground testing. 

• Validate the induced crew cabin internal environments (i.e., acceleration, vibration, acoustic, and 
shock) to which the flight crew will be exposed. 

• Validate flight environments and flight loads. 

• Validate the self-induced environments and loads to which the engine(s) will be exposed. 

• Validate the engine environments and loads to which the vehicle components will be exposed 
during all phases of main propulsion system (MPS) development, green run, and flight, in which 
the engine and vehicle are hot-fire tested as a system, such as during stage green-run or MPS 
development tests. 

Final determination that the vehicle, element (stage), system, and/or components are qualified with 
respect to dynamic loads and environments will be based on review of: 

• Qualification/acceptance documentation, including associated test documents and data. 

• Vibroacoustic and shock environment derivation analyses, including validating test data and 
analyses. 

• Forcing functions for all significant flight events, including derivation methodologies and 
supporting flight/ground test data and analyses used. 

• Mapping of environments to elements, system, or component locations. 

• Performance requirements and substantiating ground and flight test data. 


5.2.3 Structural Dynamics Analyses, Loads, and Models References 


Document Number 

Revision 

Title 

NASA-STD-5002 


Load Analyses of Spacecraft and Payloads 

NASA-HDBK-7005 


Dynamic Environmental Criteria 

NASA-STD-7009 


Standard for Models and Simulations 
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5.3 Integrated Vehicle Dynamics Analysis 

5.3.1 Integrated Vehicle Dynamics Technical Products 

During atmospheric and exoatmospheric flight, space flight vehicles are subject to numerous sets of 
circumstances where the possibility exists for coupling between the vehicle dynamic response and either 
external or self-induced excitation and/or operation of vehicle subsystems. Among these are static and 
dynamic aeroelastic instabilities, pogo, control/structure interaction, etc. Generally, flight vehicles 
cannot be designed to withstand these phenomena. Rather, analyses are performed to demonstrate 
margins with respect to onset of these effects (divergence, flutter, panel flutter, control reversal, 
control/structure interaction, pogo stability, etc.). 

Section 6 in JSC 65829, Loads and Structural Dynamics Requirements for Space Flight Hardware 
defines requirements covering coupling phenomena or other interaction between structural dynamics 
and aerodynamic environments, vehicle control systems, or propulsion system elements. Such 
requirements encompass multiple technical disciplines, including structures, propulsion, aerodynamic, 
and control system architecture. It is expected that Commercial Providers will have existing standards 
and design practices to address and mitigate these dynamic coupling phenomena. In this event, the 
adequacy of such standards/practices is subject to review with respect to the requirements in JSC 65829. 

Products to substantiate adequacy of integrated vehicle dynamics consideration should consist of 
analysis models and reports documenting analyses conducted on the vehicle, its systems, subsystems, 
and components to generate data used to establish margins with respect to the various coupling 
phenomena. Analysis documentation/reports should include assumptions, boundary conditions, applied 
environments (natural and induced) and forcing functions for response analyses, rationale, models, and 
appropriate results. 

Analysis reports should also include documentation of all math models used for the analyses. 
Verification and correlation of models should be well documented with the model validation data 
accessible and traceable to the appropriate model. Model descriptions should indicate pertinent 
modeling parameters, model display, material properties used, and type of model. A full description of 
the tests to be used, or which have been used, to validate the models is expected as part of the SVP. 

5.3.2 Integrated Vehicle Dynamics Technical Assessment 

Review and assessment of integrated dynamics analyses will determine if a Commercial Provider's 
standards meet the intent of JSC 65829, Loads and Structural Dynamics Requirements for Space Flight 
Hardware. Review and assessment will place specific emphasis on: 

• Validation of the process/approach used to model the dynamics, including frequencies, modes, and 
damping. 

• Validation of the models used in performing the analyses. 

• Validation of induced environments used in dynamic response prediction. 

• Demonstration of required margins for static and dynamic aeroelastic effects (e.g., divergence, 
flutter, panel flutter, control surface buzz, control reversal, etc.). 

• Characterization of stall flutter and verification of positive structural/control margins at high angle- 
of-attack (where applicable to vehicle design). 

• Demonstration of required control system stability margins with respect to vehicle flexible 
dynamics. 
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• Results and margins from pogo stability analysis. 

• Evaluation of propulsion thrust oscillation, if any, on the integrated vehicle stack. 

• Predictions of vehicle slosh mode frequencies and damping. 

• Demonstration of required control system stability margins with respect to vehicle slosh modes. 

• Mitigation of flow-induced vibration in flex hoses and bellows. 

• Availability of data and models for anomaly/failure investigation and resolution. 


5.3.3 Integrated Vehicle Dynamics References 


Document Number 

Revision 

Title 

NASA SP-8057 
(revised 1972) 


Structural Design Criteria Applicable to a Space Shuttle 

NASA-HDBK-7005 


Dynamic Environmental Criteria 


5.4 Flight Mechanics and GN&C 

The purpose of analyses and tests performed in this area is to demonstrate that vehicle flight will be safe 
and successful with respect to these discipline areas through analysis. Key to this effort is correct 
modeling of the various vehicle systems, along with their uncertainties, and rigorous verification. 

5.4.1 Flight Mechanics and GN&C Technical Products 

Products to substantiate adequacy of flight mechanics and guidance, navigation, and control (GN&C) 
analysis and test typically include both models and analysis, as well as test reports. Analysis reports 
should include sufficient information to demonstrate that the appropriate amount of rigorous analysis 
has been conducted and provide the detail necessary for the evaluator to reach the same conclusions. 
Analysis reports should also include documentation of all math models and simulations used. 
Verification and correlation of models and simulations should be well documented with the model 
validation data accessible and traceable to the appropriate model. Likewise, test reports should 
document the appropriate testing sufficient for the reader to verify that the tests were appropriately 
conducted and that the results were successful. 

5.4.2 Flight Mechanics and GN&C Technical Assessment 

NASA has a strong expectation that any Commercial Provider flight mechanics and GN&C analysis for 
human-rated systems would include, at minimum: 

• High-fidelity 6 degree-of-freedom time domain simulations, including dispersions and failure 
modes are performed such that: 

o Dispersion analysis demonstrates that the mission success, safety, and performance 
requirements are satisfied. 

o Stress cases are conducted to demonstrate system robustness, 
o Propellant margins are shown to be adequate. 

• Flight control designs meeting stability and controllability criteria: 

o Maintain rigid body margins of 6db gain and 30 degrees phase for non-dispersed conditions 
and maintain margins of 3db gain and 20 degrees phase for dispersed conditions, 
o Maintain flex body margins of 6db gain and 30 degrees phase for dispersed conditions, 
o Maintain equivalent robustness measures for non-classical design approaches (i.e., non-linear). 
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• Flight control system stability analysis determining what, if any, slosh damping characteristics are 
required to maintain vehicle or spacecraft stability. 

• The control actuation system has the sufficient control authority required for known disturbances 
and dispersions. 

• The dynamics in ALL flight phases are analyzed (e.g., aerodynamics, flexibility, damping, 
gyrodynamics, plume impingement, moving mechanical assemblies, fluid motion, changes in mass 
properties, tail-wags-dog, etc.). 

• The GN&C subsystem should adhere to the “Test Like You Fly” philosophy. 

NASA has a strong expectation that testing for human-rated systems would include items, such as the 
following: 

• All heritage hardware/software in the CTS subsystem architecture is evaluated and tested to 
determine its viability for use in a human-rated system with while taking into account the 
differences in build, flight configuration, mission application, flight environment, or 
design/operations teams required to achieve human-rating. 

• The system adheres to the “Test Like You Fly” philosophy such that it is tested and flown in the 
same configuration and operational modes. 

• The vehicle subsystem models used in simulations are validated by test to the maximum extent 
possible. 

• Verification of subsystem design models and simulations should be performed prior to human 
flight. 

• All unexpected results or anomalies during hardware testing are explained and/or incorporated into 
the simulation math model. 

• Hardware-in-the-Loop testing (that includes sufficient hardware to capture all critical subsystem 
interfaces) is conducted to verify proper and expected H/W and S/W interactions in all operational 
modes, during mode transitions, and all mission critical events, and including all software paths. 

• End-to-end integrated flight HWIL simulation should be used for validating the software 
simulation for timing and communications models. 

• A true end-to-end sensors-to-actuators polarity and coordinate systems test is conducted for all 
flight hardware/software configurations, including all flight harnesses/data paths, and resolving all 
test anomalies. 

• Test reports should include analysis results performed in support of verification and validation of 
performance requirements. 

• Flight tests are performed to verify and validate nominal and abort design and operations with 
flight-like hardware and software. 

• Human-in-the-Loop testing to verify handling qualities during manual control of the spacecraft's 
flight path and attitude during all applicable phases where manual control is planned including ISS 
proximity operations. 


5.4.3 Flight Mechanics and GN&C References 


Document Number 

Revision 

Title 

NASA-TM-2008- 

215106 


GN&C Engineering Best Practices for Human-Rated Spacecraft 
Systems 
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5.5 Integrated Abort Analysis 

The purpose of integrated abort analyses are to confirm that a robust abort capability exists across all 
mission phases, beginning with the timeframe that the crew ingresses the launch vehicle stack, all the 
way until the crew has successfully been recovered post-mission by the ground support team. 

5.5.1 Integrated Abort Analysis T echnical Products 

Products to substantiate adequacy of abort design and operations typically include both models and 
analysis and test reports. Analysis reports should cover the full range of abort options from pre-launch 
through post-landing phases. Analysis reports should include sufficient information to demonstrate that 
the appropriate amount of rigorous analysis has been conducted and provide the detail necessary for the 
evaluator to reach the same conclusions. Analysis reports should also include documentation of all math 
models and simulations used. Verification and correlation of models should be well documented with 
the model validation data accessible and traceable to the appropriate model. Likewise, test reports 
should document the appropriate testing sufficient for the reader to verify that the tests were 
appropriately conducted and that the results were successful. Test reports should include analysis of 
abort flight test missions performed in support of verification and validation of abort capabilities. A full 
description of the tests to be used, or which have been used, to validate the models is expected as part of 
the SVP. 

5.5.2 Integrated Abort Analysis Technical Assessment 

NASA expects that the Commercial Provider will perform 3 DOF and 6 DOF statistical analyses using 
closed-loop GN&C simulation and including vehicle and environmental uncertainties, which address at 
least the following areas: 

• Abort trigger settings, designed such that they will provide for both a low probability of false 
positive and a low probability of false negative. 

• Identification of parameters or measurements used as abort trigger, and the process and rationale 
for their selection. 

• Identification and simulation of ascent failure scenarios, conducted to ensure the ability of the crew 
module to depart the launch vehicle prior to reaching any vehicle and crew module limit loads or 
other “demise” criteria (in nearly all cases). 

• Analysis of ascent abort operations and its interaction with pending flight termination 
commanding. 

• Required abort success percentages are achieved at each moment in each flight phase. 

• Appropriate sizing of discrete time steps for abort initiation within the larger time bins. 

• Appropriate approach to modeling temporally overlapping failure modes. 

• Appropriate approach to modeling temporally overlapping abort modes. 

• Spacecraft touch down within safe landing and recovery areas. 

The above analyses are conducted for probabilistic dispersed flight conditions and for probabilistic 
failure modes. During modeling of failures and subsequent abort, loss of control dynamic effects and 
blast and debris environments should be considered, along with launch abort vehicle stability and 
control and subsequent crew module flight. 
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5.6 Thermal Control Analysis and Models 

The purpose of integrated thermal analyses is to demonstrate that the vehicle performs within allowable 
temperature limits for all flight phases (pre-launch, ascent, on-orbit, entry, and post-entry). Key to this 
effort is the use of integrated thermal math models of the vehicle, systems, subsystems, and components 
to determine the flight thermal environments and overall vehicle thermal performance. Analytical 
verification cycles would be expected early in the Program using a Design Reference Mission (DRM) 
design that reasonably encompasses most expected actual missions, as well as mission-specific analysis 
cycles, to capture vehicle modifications throughout its life-cycle and derive more nominal thermal 
expectations for any particular mission. 

5.6. 1 Thermal Control Analysis and Models Technical Products 

Products to substantiate adequacy of overall integrated vehicle thermal response predictions include 
thermal math models and analysis reports. Analysis reports should include sufficient thermal 
performance information to assess and ensure thermal compliance for all mission phases (prelaunch, 
ascent, on-orbit, entry, and post-entry). These reports should document data used to assess thermal 
response of the integrated system, as well as to identify any mission operating thermal constraints. 
Analysis documentation/reports should include vehicle allowable temperature limits (operational, non- 
operational, safety), bounding thermal environment parameters (natural and induced), thermal DRM 
(vehicle attitudes/orientations and timeline durations), thermal design approach and description, and 
appropriate results. Analysis reports should also document predicted/measured thermal control heater 
duty cycles and identify thermal instrumentation locations. 

Reports should include documentation of thermal math models (uncorrelated and correlated) used for 
thermal predictions. The use of uncorrelated models by Commercial Providers should carry sufficient 
thermal margin so as to accommodate the higher level of uncertainty associated with those models. 
Model descriptions should indicate thermo-physical and optical properties, thermal analysis margin, and 
uncertainties. 

5.6.2 Thermal Control Analysis and Models Technical Assessment 

NASA has an expectation that any Commercial Provider developed standards for integrated thermal 
control analysis and models would meet the intent of SMC-S-016, Test Requirements for Launch , Upper 
Stage, and Space Vehicles , and include, at minimum: 

• Use of validated and correlated models in the verification analysis cycle. 

• Performance of mission specific thermal assessments and verification, inclusive of nominal and 
off-nominal attitude timeline mission operational modes. 

• Analyze vehicle thermal control function performance and define on-orbit thermal environments 
for integrated thermal analysis with the docked vehicle, including interfaces and critical locations, 
and identify significant thermal performance issues. 

• Maintain configuration control of integrated thermal math models for defining natural and induced 
environments and performing integrated thermal analysis. 


5.6.3 Thermal Control Analysis and Model References 


Document Number 

Revision 

Title 

SMC-S-016 


Test Requirements for Launch, Upper-Stage, and Space Vehicles 
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5.7 Aeroscience 

Three major categories are involved in evaluating the performance and safety of aeroscience related 
environments: 

• The forces and moments on a vehicle during ascent and entry. 

• The aero thermodynamic heating on a vehicle. 

• The on-orbit plumes and their effect on surrounding objects. 

The tools available to define these environments are wind tunnel testing, computational methods, 
engineering or analytical methods, and flight testing. Each of these environments has associated 
uncertainties and margins. The guidelines for determining the level of required fidelity for each of these 
categories is outlined below. 

5.7.1 Aerodynamics 

Requirements on aerodynamic environments can be divided into two categories: scope/coverage and 
fidelity/accuracy. Scope/coverage requirements are determined by the operation range of the vehicle, 
while fidelity/accuracy requirements are typically not levied directly on the aerodynamic database, 
rather the requirements and/or performance criteria of other disciplines (e.g., structures, GN&C, etc.) 
determine the fidelity needed for the aerodynamic environments. This indirect path leads to a set of 
derived requirements for the aerodynamics that are determined through an iterative multi-disciplinary 
analysis process targeting production of nominal aerodynamic environments with a level of uncertainty 
that allows other disciplines to meet requirements. 

To enable a meaningful review of the aerodynamic environments, the Commercial Provider should 
provide an aerodynamic substantiation report which documents how the data for the database was 
acquired, what best practices and assumptions were used, how associated uncertainties and margins 
were developed and applied, evidence that the uncertainties are appropriate, and how verification and 
validation was applied to the overall process. The report should also demonstrate that the aerodynamic 
database provides sufficient coverage for the flight regime that the vehicle may encounter and that any 
reconstitution of the database to be incorporated into the flight dynamics simulations accurately reflects 
the aerodynamic database itself. 

5.7.2 Aerothermal 

The methodology for defining aerothermal design environments must be documented. Specifically, the 
approach used for defining the heat transfer, pressure loading, and shear stress caused by the flow 
around the vehicle must be defined, including: 1) nominal acreage heating to heat-load and heat-rate 
sensitive components, 2) specialized design environments for control surfaces, thermal barriers, 
protuberances, cavities, and jet interactions where appropriate, 3) modeling assumptions for laminar, 
transitional, and turbulent flow states, and 4) the uncertainties applied to such environments. The use of 
aerothermal environments as part of a larger thermal protection system margin policy should be 
presented. 

To enable a meaningful review of the aerothermodynamic environments, the Commercial Provider 
should provide an aerothermodynamic substantiation report which documents how the data for the 
database was acquired, what best practices and assumptions were used, how associated uncertainties and 
margins were developed and applied, evidence that the uncertainties are appropriate, and how 
verification and validation was applied to the overall process. The report should also demonstrate that 
the aerothermodynamic database provides sufficient coverage for the flight regime that the vehicle may 
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encounter and that any reconstitution of the database into the thermal protection system design process 
accurately reflects the aerothermodynamic database itself. 

5 . 7.3 On-Orbit Plumes 

To ensure the safety of the ISS crew and the integrity of the ISS, vehicles which visit the ISS must be 
operated such that any plume impingement of the visiting vehicle to the ISS does not cause any adverse 
effects, such as excessive structural loads, excessive temperature rise, excessive contaminant deposition, 
or excessive surface erosion. Verification of this requirement will be performed by analysis. 

Such analyses require the definition of the plume flow field environment, which may be in the form of 
either of an algebraic math model or tabular data for such quantities as dynamic pressure, velocity 
magnitude, and the distribution of non-gaseous effluents in the plume. The Commercial 
Provider providing crew transportation service are expected to provide either such an environment, or 
alternatively, the data for the vehicle's reaction control system thrusters, such as combustion chamber 
operating parameters, nozzle contour shape(s), engine thrust level(s), and engine mass flow rate(s). The 
latter alternative allows the Government to develop the required environments. The chosen alternative 
will be negotiated between NASA and the Commercial Provider. 

These analyses also require data on the operation of the thruster during proximity operations for both 
nominal and off-nominal (including hardware failure and commanded abort) scenarios. The 
Commercial Provider is expected to provide a database of jet firing histories that give adequate coverage 
for such scenarios. Such a database should be developed using vehicle dynamics simulations, which 
include models that sufficiently represent the visiting vehicle's range of mass properties, the vehicle's 
sensors that provide position and attitude relative to the ISS, and the vehicle's control system 
logic/algorithms. 
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6.0 Ground Support Equipment 

The purpose of this standard is to convey the minimum engineering best practices for the design of 
Ground Support Equipment (GSE). Additional engineering and safety practices for the design of GSE 
may be levied upon a Commercial Provider by the institution/site in which they are operating. 

6.1 Ground Support Equipment 

NASA has a strong expectation that a Commercial Provider’s minimum engineering design best 
practices would address the items as referenced in NASA-STD-5005C, Standard for the Design and 
Fabrication of Ground Support Equipment. 

6.1.1 Ground Support Equipment Design T echnical Products 

Products to convey the minimum engineering best practices when designing GSE that interfaces with 
flight hardware includes documentation that substantiates that each component has been adequately 
analyzed and/or tested. 

6.1.2 Ground Support Equipment Design Technical Assessment 

NASA has a strong expectation that a Commercial Provider’s GSE documentation would include items, 
such as the following: 

• Detailed stress analysis, including a summary of the margins of safety. 

• Proof test demonstrations, including test reports. 

• Component material certification. 

• Critical weld inspections. 

• Electrostatic discharge (ESD) compliance test reports. 

• Electromagnetic compliance test reports. 

• Electrical bonding compliance test reports. 


6.1.3 Ground Systems Design References 


Document Number 

Revision 

Title 

NASA-STD-87 19.9 


Standard for Lifting Devices and Equipment 

MSFC-STD-156 


Standard for Riveting, Fabrication, and Inspection 

MSFC-STD-481 


Standard Radiographic Inspection and Acceptance Standards 
for Fusion-Welded Joints in Stainless and Heat-Resistant Steel 

AWS D1/D1.1M 


Structured Welding Code -St eel 

AWS D1.2/D1.2M 


Structural Welding Code-Aluminum 

ASME Boiler and 
Pressure Vessel Code, 
Sections VIII Divisions 
1, 2, and 3 



KSC-DE-512-SM 


Facility, System, and Equipment General Design Requirements 

KSC-NE-9439 


KSC Design Engineering Handbook for Design and 
Development of Ground Systems 

KSC-STD-Z-0006 


Standard for Design of Hyper golic Propellants Ground Support 
Equipment 
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7.0 Launch Vehicle, Spacecraft, and Crew Systems Design 

7.1 Avionics and Electrical Systems 

7.1.1 Avionics T echnical Products 

The complexity of avionics equipment and the involvement of many independent organizations 
significantly add to the risk to performing a successful mission. Loss of mission due to an avionics 
failure proves to be very costly. Testing the avionics equipment extensively at several assembly levels 
(from units to the overall system) through the various Program verification phases (qualification, 
acceptance, pre-launch, and on-orbit) has been a cost effective way of further assuring successful 
equipment and operation. 

In order to substantiate that the Commercial Provider meets the intent of standards required by CCT- 
REQ-1 130, and to demonstrate that the system design meets applicable requirements for human-rating 
(which is capable of sustaining its operational role during the life-cycle), emphasis will be placed on the 
following, at a minimum: 

• Subsystem and unit-level specifications. 

• Electrical, Electronic, and Electromechanical (EEE) Parts Selection Plan and screening process. 

• Materials Selection Plan for chassis (if different from that used for mechanical structure). 

• Fasteners Selection Plan for chassis and assembly (if different from that used for mechanical 
structure). 

• Unit interconnect drawings and schematics. 

• Printed wiring board schematics and layout drawings. 

• Box level assembly drawings. 

• As-designed and as-built EEE parts list. 

• As-designed and as-built mechanical parts list. 

• Programmable device design and implementation processes. 

• Programmable device design documentation (code and schematics). 

• Programmable device test plans and data. 

• Qualification plans, procedures, as-run data, and reports, including electromagnetic interference 
(EMI)/electromagnetic compatibility (EMC), ESD, and lightning transient testing. 

• Worst case circuit analysis for each avionics unit. 

• Avionics system analysis/test for throughput, noise/ripple on power, and electrical 
impedance/isolation for signals. 

• Acceptance test plans, procedures, and as-run data. 

• Avionics integrated system test plans, procedures, and as-run data. 

• Electrical power quality requirements, including details on control of electrical faults. 

• Electrical Power and Energy Plan. 

• Sneak circuit analysis. 

7.1.2 Avionics Technical Assessment 

Review of acceptance and qualification data (test plans, procedures, and reports) verifies that the CTS 
(including refurbished or re-flown products) meets performance specifications, demonstrates acceptable 
quality and workmanship, and is ready to be committed to flight. Review and assessment of subsystems 
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and unit qualification and acceptance data will determine if a Commercial Provider’s standards meet the 
intent of SMC-S-016, Test Requirements for Launch, Upper-Stage, and Space Vehicles. 

For all existing avionics unit designs, qualification test reports/data will be reviewed to ensure testing 
was performed according to the Qualification Plan and to evaluate any anomalies identified during 
testing and the resolution of those anomalies. For all avionics unit designs, acceptance test plans and 
acceptance test reports/data will be reviewed prior to completion of vehicle integration to ensure testing 
was performed to the Acceptance Test Plan and all hardware passed acceptance testing. As-built design 
and manufacturing information will be made available for review for each avionics unit. Avionics 
systems-level designs, interfaces, and analyses will be reviewed for evaluation of proper avionics system 
function and adequate margins. All systems-level test plans and results, from a laboratory environment 
and from vehicle integration, will be made available for review to ensure testing was performed to the 
test plan and the avionics system passed all integrated testing. Test results will show that on-board 
computational capability is sufficient to execute all critical software operations at the appropriate 
frequency. 

For new avionics unit designs, an assessment will be performed on all design documentation and 
component/materials selection plans to ensure specifications are met. Qualification plans will be 
evaluated to ensure units are tested to appropriate environmental levels, including EM I/EM C, in 
accordance with the Commercial Provider provided Environmental Electromagnetic Effects Control 
Plan. For new or modified avionics system-level designs, specifications will be evaluated to make sure 
avionics unit interfaces are verified to meet system interface requirements, and system-level test reports 
will be reviewed to ensure appropriate system performance. For all new or modified avionics unit 
designs and all new or modified avionics systems designs, the Commercial Provider will include 
avionics as part of the formal design review and certification process. 

7.1.3 Interconnecting Cable and Harnesses 

Considerable experience has been gained in the area of electrical wiring subsystems throughout NASA’s 
history of human space flight. It is clear that there has to be sufficient processes and requirements for 
procuring components, implementing procedures for fabrication, installation, and testing, as well as 
associated training. Because of the large amount of wiring required and its impact on weight, volume, 
and the function of other subsystems, the importance of electrical wiring and connecting devices cannot 
be overemphasized. 

7. 1.3.1 Interconnecting Cable and Harness Technical Products 

In order to substantiate that the Commercial Provider meets the intent of NASA-STD 8739.4, Crimping, 
Interconnecting Cables, Harnesses, and Wiring', NASA-STD-8739.5, Fiber Optic Terminations, Cable 
Assemblies, and Installation', and JSC 62809, Human-Rated Spacecraft Pyrotechnic Specification', and 
to certify the design, fabrication, and installation for human-rating, emphasis will be placed on the 
following, at a minimum: 

• Voltage drop analysis. 

• Routing and bend radius documentation showing circuit EMC. 

• Comprehensive cabling bill of materials. 

• Harness manufacturing process specification. 

• Tool calibration and maintenance. 

• Cable Qualification Test Plan. 
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• Harness Acceptance Test Plan. 

• Personnel Training and Certification/Re-certification Plan. 

• Installation Plan. 

• Cable/Hamess Test and Inspection Plan. 

• Cable Maintenance Plan. 

• Interconnectivity schematics. 

• Wire lists. 

• Installation drawings. 

7. 1.3. 2 Interconnecting Cable and Harness Assembly Technical Assessment 

Review and analysis of the electrical interconnect system design and verification process will determine 
if a Commercial Provider’s standards meet the intent of the following: 

• NASA-STD 8739.4, Crimping, Interconnecting Cables, Harnesses, and Wiring. 

• NASA-STD-8739.5, Fiber Optic Terminations, Cable Assemblies, and Installation. 

• JSC 62809, Human-Rated Spacecraft Pyrotechnic Specification. 

• Verification that all mechanisms have a suitable operational range to encompass ground and flight 
environments, including static loading, dynamic loading, and thermal impacts. 

A review of the documented methods and procedures proposed to incorporate requirements for 
interconnecting cable and harness assembly design, fabrication, installation, and associated testing will 
place emphasis on the following areas: 

• Materials (e.g., conductor, insulation, connectors, etc.). 

• Conductor stripping processes. 

• Crimping processes and verifications. 

• Separation of redundant harnesses/circuits. 

• Electromagnetic interference/compatibility. 

• Routing, support, and protection of harnesses for operating environments. 

• Adjacent bent pin assessment. 

• Red plague mitigation. 

7.1.4 Crewed Vehicle Battery Safety 

7. 1.4.1 Crewed Vehicle Battery Safety Technical Products 

In order to substantiate that the Commercial Provider meets the intent of JSC 20793, Crewed Space 
Vehicle Battery Safety Requirements , and to certify the design for human-rating, emphasis will be placed 
on the safety data package, which should include, at a minimum, the following: 

• FMEA, including toxicity, materials, and off-gassing. 

• Data that allows insight into the hazards (e.g., venting, fire, thermal runaway, etc.), as well as the 
controls for mitigation, along with the test methods used to verify the controls. 

• Battery specifications, qualification, certification, lot, and flight acceptance test plans. 

• Data from these tests. 

7. 1.4. 2 Crewed Vehicle Battery Safety Technical Assessment 

Review and analysis of the electrical crewed vehicle battery system design and verification process will 
determine if a Commercial Provider’s standards meet the intent of JSC 20793, Crewed Space Vehicle 
Battery Safety Requirements . 
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Taking into account the battery’s chemistry, launch environment, on-orbit usage, complexity, capacity, 
location, its propensity for venting, fire and thermal runaway, etc., evaluation criteria of the Crewed 
Vehicle Battery Safety Report/Plan/Test documentation submitted will place emphasis on the following 
areas: 

• Fault tolerance to catastrophic failures. 

• Incorporation and verification of hazard controls. 

• Charging system implementation (if applicable) and safety. 

• Mission criticality. 

7.1.5 Printed Wiring Boards 

7. 1.5.1 Printed Wiring Boards Technical Products 

In order to substantiate that the Commercial Provider's alternate documents meet the intent of standards 
identified in CCT-REQ-1 130 for printed circuit board design, fabrication, and assembly, a review of the 
alternate documents will be conducted. 

In addition, the Commercial Provider will provide or make available individual printed circuit board 
documentation including, but not limited to, vendor conducted test reports, as well as tested and untested 
coupons that substantiates that the “as-designed” and “as-built” configurations meet the intent of the 
baseline of requirements established by the applicable standards. In addition to meeting the intent of the 
requirements outlined in the reference documents, workmanship on printed circuit assemblies will 
further be verified by successful completion of certification testing, including, but not limited to, the 
following: 

• Electrical component burn-in. 

• Thermal cycling (vacuum, if applicable). 

• Vibration. 

Design of the certification testing will conform to the expected operating environments. 

7. 1.5. 2 Printed Wiring Boards Technical Assessment 

Review and analysis of the electrical crewed vehicle battery system design and verification process will 
determine if a Commercial Provider’s standards meet the intent of the following: 

• IPC J-STD-001E, Requirements for Soldered Electrical and Electronic Assemblies Electrical 
Clearance. 

• IPC J-STD-001ES, Space Applications Electronic Hardware Addendum to J-STD-001, 
Requirements for Soldered Electrical and Electronic Assemblies. 

• IPC 2152, Standard for Determining Current Carrying Capacity in Printed Circuit Board Design. 

• IPC 2220 Series, Family of Printed Board Design Documents. 

• IPC 6010 Series, Family of Printed Board Performance Documents. 

• IPC-CM-770E, Component Mounting Guidelines for Printed Boards. 

• NASA-STD-8739.1, Workmanship Standard for Polymeric Application on Electronic Assemblies. 

• GEIA-STD-0005- 1 , Performance Standard for Aerospace and High Performance Electronic 
Systems Containing Lead-Free Solder. 
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Assessment of the Commercial Provider’s alternate design/fabrication/assembly standards will place 
emphasis on the following areas: 

• Material selection criteria. 

• Plating/final finishes. 

• Electrical clearance. 

• Conductor width/thickness. 

• Vibration mitigation. 

• Tin whisker mitigation. 

• Thermal management. 

• Component placement. 

• Holes and interconnects. 

• Coupon definition. 

• Testing. 

7.1.6 Electromagnetic Environment Compatibility 

7. 1.6.1 Electromagnetic Environment Compatibility Technical Products 

Attention to Electromagnetic Environmental Effects and EMC is essential to the operational success of 
any vehicle design that incorporates electronic, electrical, and electromechanical subsystems operating 
in dynamically changing electromagnetic environments composed of both man-made and naturally 
occurring threats, such as the direct and indirect effects of a lightning strike. 

The referenced EMC standards documents should be implemented within the design of the commercial 
vehicle. EMC analysis, design, and test documentation products will be provided as follows, as a basis 
for successful design validation: 

• EMC Control Plan. 

• EMC hazard assessment report. 

o Electromagnetic radiation hazards to personnel, ordnance, and volatile materials 
o Hazardous effects of precipitation static (p- static) and direct/indirect lightning activity 
o Electrostatic charge generating mechanisms, to avoid fuel ignition and ordnance hazards, to 
protect personnel from electrical shock, and to prevent performance degradation or damage to 
electronics 

o Potential personnel hazards due to high radio frequency (RF) transmitter output powers and 
antenna characteristics 

o Potential fire hazards due to arcing or sparking from vented or vaporized material 

• EMC Analysis and Certification Plan. 

• Group A and B test data.* 

• List of material used in fabrication.* 

• Schematic and assembly drawings.* 

• EEE de-rating analysis.* 

• Certification standards for test equipment.* 

*For MIL-STD-981 
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7. 1.6. 2 Electromagnetic Environment Compatibility Technical Assessment 

Review and analysis of the electromagnetic environment compatibility design and verification process 
will determine if a Commercial Provider’s standards meet the intent of the following: 

• MIL-STD-461, Requirements for the Control of Electromagnetic Interference Characteristics of 
Subsystems and Equipment. 

• MIL-STD-464, Electromagnetic Environmental Effects Requirements for Systems. 

• MIL-STD-981, Design, Manufacturing, and Quality Standards for Custom Electromagnetic 
Devices for Space Applications. 

An assessment of EMC verification products will place emphasis on the quality and completeness of the 
products in the following review areas: 

• EMC requirements traceability report. 

• EMC Certification Test Plan. 

• EMC certification data.** 

**Includes MIL-STD-981 data, which will be reviewed to verify that the device meets the 
operational and environmental requirements, as well as the compatibility of the materials used. 

7.1.7 Lightning Protection 

7. 1.7.1 Lightning Protection Technical Products 

Lightning is a serious and pervasive threat to hardware on the ground and in flight. Lightning launch 
commit criteria cannot guarantee 100% that the vehicle will not encounter natural or triggered lightning. 
Landing flight rules are less restrictive, and may relax weather constraints significantly under emergency 
conditions, potentially resulting in descent through heavy weather or atmospheric regions conducive to 
natural or triggered lightning events. For these reasons, the integrated vehicle, equipment, subsystems, 
and systems must be designed such that they are protected from the indirect effects of nearby lightning. 
In addition, the integrated vehicle, equipment, subsystems, and systems must be designed such that the 
crew will survive a direct attachment event. The vehicle should be designed such that structural 
integrity is protected, thereby avoiding vehicle breakup, and critical systems that could result in 
catastrophic loss of crew or vehicle remain operational after the event. Crew intervention is acceptable 
to reset any emergency equipment, subsystems, or systems that are upset by a direct attachment event, 
although it is desirable that such equipment, subsystems, or systems be automatically reset, if reset is 
necessary. It is not necessary that the integrated vehicle, equipment, subsystems, and systems be 
designed such that they will operate without damage or upset through a direct attachment event. 

The adequacy of lighting protection designed into the vehicle should be established by the Commercial 
Provider with the provision of the following products during the vehicle design and development in 
accordance with the referenced documents: 

• Lightning zoning report (report of those vehicle surfaces or structures likely to experience 
lightning channel attachment and/or current flow between attachment points). 

• Lightning current paths analysis. 

• Lightning hazards assessment report (report on evaluation of vehicle structures or components 
whose failure or malfunction due to lightning could contribute to hazardous conditions or events). 

• Lightning Protection Plan. 

• Lightning Protection Verification Plan. 

• Lightning protection verification results/data. 


Commercial Crew Program 


Page 35 of 86 


Crew Transportation Technical Standards 
and Design Evaluation Criteria 


CCT-STD-1 140 
Revision: B-l 


• Lightning actual transient level analysis and equipment transient design level specification report. 

• Re-Test Plan to assess the wellness of the vehicle in the event of a lightning strike within the area 
oftheCTS. 

7. 1.7. 2 Lightning Protection Technical Assessment 

Review and analysis of the lightning protection design and verification process will determine if a 
Commercial Provider’s standards meet the intent of the following: 

• FAA AC 20-136B, Aircraft Electrical ancl Electronic System Lightning Protection. 

• SAE ARP 5412A, Aircraft Lightning Environment and Related Test Waveforms. 

• SAE ARP 5414A, Aircraft Lightning Zoning. 

• SAE ARP 5577, Aircraft Lightning Direct Effects Certification. 

An assessment of lightning protection verification products will emphasize the quality and completeness 
of the products in following review areas: 

• Vehicle zoning appropriate to natural environment interaction. 

• Detailed assessment of direct and indirect lightning effects to critical/emergency systems. 

• Detailed assessment of indirect lightning effects to mission critical systems. 

• Application of zoning information to determination of levels of protection from direct lightning 
effects for spacecraft structure and protection of critical/emergency systems to assure crew 
survivability in the event of a direct attachment to the spacecraft. 

• Application of zoning information to determine appropriate levels of protection from indirect 
lightning effects for pin and cable induced voltages and currents in mission critical systems. 

• Requirements traceability to verification tests. 

• Application of adequate design margins. 

7.1.8 Electrostatic Controls 

7 . 1 . 8 . 1 Electrostatic Controls T echnical Products 

The control of electrostatic charging and dissipation effects in crewed CTS elements and integrated 
assemblies should be documented through development and provision of the following products to 
describe the vehicle design, as well as the establishment and maintenance of workmanship and 
manufacturing measures and practices: 

• ESD Control Plan. 

• Triboelectrification controls design assessment. 

• Design analysis for ESD protection. 

• Survey reporting on compliance with ESD Control Plan provisions. 

7. 1.8. 2 Electrostatic Controls Technical Assessment 

Review and analysis of the ESD control process will determine if a Commercial Provider’s standards 
meet the intent of ANSI/ESD S20.20, Protection of Electrical and Electronic Parts, Assemblies, and 
Equipment (Excluding Electrically Initiated Explosive Devices). The ESD sensitivity of electrical and 
electronic subassemblies, assemblies, and equipment are expected to be verified by test or analysis at the 
subassembly, assembly, and isolated equipment levels. ESD sensitivity of equipment in a normal flight 
configuration is expected to be verified by test. The normal flight configuration of equipment may be 
simulated in a laboratory environment. Either body/finger or hand/metal human body model (HBM) test 
methods may be utilized at the subassembly or assembly levels. The hand/metal HBM test method is 
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expected to be utilized at the equipment level. Analysis is expected to use standard HBM waveforms 
and test circuits. Verification can be considered successful when the subassembly, assembly, or 
equipment, isolated and in its normal flight configuration, has demonstrated it is immune to the 
applicable ESD stimulus. 

An evaluation of the Commercial Provider’s electrostatic controls will focus on the Commercial 
Provider’s technical standards and technical processes that control and safely dissipate the build-up of 
electrostatic charges caused by p-static effects, fluid flow, air flow, exhaust gases flow, personnel 
charging, charging of launch vehicles (including prelaunch conditions) and space vehicles (post 
deployment), and other charge generating mechanisms, to 1) avoid fuel ignition and pyrotechnic 
hazards, 2) protect personnel from shock hazards, and 3) prevent performance degradation or damage to 
electronics. 

An assessment of electrostatic controls verification products will emphasize the quality and 
completeness of the submitted ESD Control Plan and supporting documentation in the following review 
areas: 

• Electrostatic charging and dissipation design requirements traceability. 

• Adequacy of controls to satisfy ESD design parameters. 

• Component parts inspection and handling. 

• Equipment and sub-assemblies marking and labeling processes. 

• Manufacturing personnel protective measures and practices. 

• Maintenance of adequate controls over product manufacturing life-cycle. 

• ESD “design to” goals. 

Review of the ESD design thresholds will determine if a Commercial Provider’s standards meet the 
intent of IEC 61000-4-2, Electromagnetic Compatibility (EMC) Testing and Measurement Techniques - 
Electrostatic Discharge Immunity Test. A successful ESD control regime will include industry standard 
“design to” withstand goals for CTS electrical and electronic equipment, including subassemblies and 
assemblies to provide protection from damage or fault due to ESD. The minimum industry standard is 
an HBM discharge at a peak discharge level of 2,000 volts for subassemblies and assemblies and 4,000 
volts for equipment. These standards apply specifically to direct contact during non-operating 
conditions to input, output, and interface connections to subassemblies and assemblies and to direct 
contact to the case or housing of isolated equipment during non-operating conditions. Any hardware in 
its normal flight configuration, operating or non-operating, should be immune to upset or damage 
resulting from exposure to a maximum industry standard HBM discharge of 8,000 volts direct contact 
or 15,000 volts air-discharge contact to operator accessible points and exposed surface areas of the 
equipment. These standards do not apply to electrically-initiated explosive devices. 

7.1.9 Electrical Bonding 

7. 1.9.1 Electrical Bonding Technical Products 

The adequacy of electrical bonding features implemented for all mechanical interfaces in the integrated 
space vehicle should be documented by the following products during the vehicle design and 
manufacturing to meet the intent of NASA-STD-4003, Electrical Bonding for NASA Launch Vehicles, 
Spacecraft, Payloads, and Flight Equipment : 

• Electrical Bonding Plan. 

• Electrical bonding verification data. 
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7. 1.9. 2 Electrical Bonding Technical Assessment 

Review and analysis of the electrical bonding design and verification process will substantiate that a 
Commercial Provider’s standards meet the intent of NASA-STD-4003. 

An assessment of electrical bonding verification products will place emphasis on the quality and 
completeness of the products in the following review areas: 

• Identification of electrical bond paths. 

• Proper allocation of electrical bonding classes to mechanical interfaces. 

• Analysis of applied electrical bonding processes. 

• Test measurements of installed electrical bonds. 

7.1.10 Low Earth Orbit Spacecraft Charging 

7.1.10.1 Low Earth Orbit Spacecraft Charging T echnical Products 

In order to substantiate that the Commercial Provider meets the intent of NASA-STD-4005, Low Earth 
Orbit Spacecraft Charging Design Standard , and to certify their design for high-voltage space power 
systems (>55 volts) that operate in low Earth orbit (LEO), emphasis, as a minimum, will be placed on 
designs that do not produce hazards or mission success issues with respect to EMEEMC effects on 
photovoltaic efficiency or avionics, power, thermal control and pyrotechnic system reliability due to: 

• Surface arcing. 

• Parasitic current loss comparable to power system margin. 

• Parasitic plasma currents. 

Commercial Provider vehicle designs must limit current collected from the space plasma environment 
when docked to the ISS to levels within the current constraints specified in SSP 50808. 

7.1.10.2 Low Earth Orbit Spacecraft Charging T echnical Assessment 

Review and analysis of the spacecraft’s power system’s design for prevention and mitigation/control of 
spacecraft exterior charging and verification process will determine if a Commercial Provider’s 
standards meet the intent of NASA-STD-4005. 

Verification of LEO space systems’ performance should not be attempted solely by analysis without 
advanced concurrence from the responsible NASA Program Office. Assessment of the Commercial 
Provider’s alternate spacecraft exterior charging in LEO control standards will place emphasis on 
simulated LEO plasma environmental test data under worst case simulated operational 
conditions. There may be some cases where only an analysis will suffice. Final decision on whether a 
simulated environmental test is required will require Program Office concurrence. 

7.1.11 Communication and Spectrum Management 
7.1.11.1 Communications 

In order to substantiate that the Commercial Provider meets the requirements of CCT-REQ-1 130 that 
insure acceptable RF communications performance and compatibility with other spectrum users, 
emphasis will be placed on the following: 

• Compliance to the Space Network Users Guide requirements (current revision). Verify if tracking 
and data relay system (TDRS) service is planned by analysis and space network category 1 and 
category 2 compatibility tests. 
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• Compliance with spectrum standards as stated in Section 7.1.11.2. 

• For space-to-ground transmission, transmitter can only be on when a capable ground station is in 
view of the spacecraft and must be able to control power on/off. 

• Maximum BW per channel in S-band limited to 5MHz downlink and 6.14 MHz for space-to-space 
links. 

• RF performance standards are specified for the ideal condition; however, expected aggregate 
interference degradation based on an expected RF environment, structure blockage, vehicle 
orientation, antenna pointing direction, etc., should be factored into the final verification of 90% 
communications during ascent and 65% communications during reentry. 

• ISS frequency compatibility - spacecraft RF must meet interface requirements of SSP 50808, 
cannot impede/constrain operation of the ISS, and cannot require the ISS to operate in non- 
standard attitudes to accommodate communications. 

• Inclusion of power control capability to reduce transmit output power for safety considerations, 
especially when in close proximity operation of the ISS or radiating when docked. 

• A minimum BER of 10E-08 measured at the output of a decoder with a 3dB margin should be 
maintained. This BER is not to be confused with the BER of the RF channel, which is typically 
much higher (10E-03, 10E-04). 

7.1.11.2 Spectrum Utilization Standards 

The following criteria is necessary to assure compatibility with NASA’s deep space operation and 
minimize interference to TDRS space network multiple access users. Non-compliance will result in 
operational constraints and additional limitations regarding operation of the spacecraft links in adjacent 
bands. 


Maximum Interference Power Spectral Flux Density 

Frequency 

Maximum interference power spectral flux density 
(dB(W/nf/Hz)) 

2290-2300 (MHz) 

-257 

8400-8450 (MHz) 

-255.1 

31.8-32.3 (GHz) 

-249.3 


MAXIMUM RADIATED POWER FOR SYSTEMS EMPLOYING SN RETURN LINKS AT A FREQUENCY OF 2287.5 MHz 

Case 

Maximum Radiated EIRP (dBW) 

CTS Systems Transmitting Operational Point-to-Point 
Links to TDRSS 

25. 1 1 

Note: 

’The maximum EIRP value is based on the use of right hand circular polarization (RHCP). A reduction in maximum EIRP 
value would result if left hand circular polarization (LHCP) is employed 


7.1.12 Avionics and Electrical Systems References 


Document Number 

Revision 

Title 

AIAA S-lll-2005 


Qualification and Quality Requirements for Space Solar Cells 

AIAA S- 112-2005 


Qualification and Quality Requirements for Space Solar Panels 
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Document Number 

Revision 

Title 

ANSI C63.16 


American National Standard Guide for Electrostatic Discharge 
Test Methodologies and Criteria for Electronic Equipment 

IEEE STD C62.38 


IEEE Guide on ESD: ESD Withstand Capability Evaluation 
Methods (for Electronic Equipment Subassemblies) 

JPR 8080.5 


JSC Design and Procedural Standards 

SAE ARP 5416 


Protection of Aircraft Electrical/Electronic Systems Against the 
Indirect Effects of Lightning 

RTCA DO-160E 

Rev. E 

Environmental Conditions and Test Procedures for Airborne 
Equipment (Sections 22 and 23) 


7.2 EEE (Electrical, Electronic, and Electromechanical) Parts Management 

The EEE Parts Management Plan establishes the minimum technical requirements for electronic parts 
used in the design, development, and fabrication of electronic hardware for the crew and launch vehicle. 
The plan should manage and control the selection, acquisition, traceability, testing, handling, packaging, 
storage, and application of the EEE parts in the CTS. 

The CTS subsystems should emphasize parts selection that fit the application, the environment, 
reliability and assurability for a human-rated program. The best practices for the development and 
implementation of an Aerospace EEE Parts Control Plan can be found in several Military and/or NASA 
standards listed below: 

• SMC Standard SMC-S-010, Space and Missile Systems Center Standard, Parts, Materials, and 
Processes Technical Requirements for Space and Launch Vehicles. 

• MSFC-STD-3012, Electrical, Electronic, and Electromechanical (EEE) Parts Management and 
Implementation Plan for MSFC Space Flight Hardware or an equivalent document. 

7.2.1 EEE Parts Management Technical Products 

A comprehensive EEE Parts Verification and Implementation Plan as described in SMC Standard SMC- 
S-010 or MSFC-STD-3012 or an equivalent document should be established. An analysis/review of the 
following design documentation will determine the adequacy of the implementation of this plan: 

• EEE Parts Selection Plan and screening process (note: contained in Paragraph 7.1.1). 

• As-designed and as-built EEE parts list (note: contained in Paragraph 7.1.1) including rationale 
behind the use of less than the highest reliability parts which addresses the application, including 
performance, environment, criticality, and mission lifetime. 

• De-rating and application analysis (an example of NASA typical wire/cable de-rating criteria can 
be found in of SSP 30312, Appendix B). 

7.2.2 EEE Parts Management Technical Assessment 

In order to substantiate that the alternate documents meet the intent of standards identified in CCT-REQ- 
1130 for EEE parts, a review of the EEE Parts Management Plan and support documentation will be 
conducted. The plan should ensure the reliability of the EEE parts used through elimination of infant 
mortality, die attach, wire bonding, and the overall part assembly process anomalies. Emphasis will be 
placed in the following areas for compliance: 

• EEE parts requirements. 
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o EEE parts selection 

o Minimum grade of EEE part to be used based on criticality, redundancy, and failure 
tolerance of the system 

o Typically Class S for critical, non -redundant, non-failure tolerant systems and Class B for 
redundant, failure tolerant systems. 

o Parts qualification and 100% screening when the minimum grade cannot be obtained 
o Destructive physical analysis (per lot) 
o Particle impact noise detection (per part) 
o Thermal cycling (per part) 
o Burn-in (per part) 
o X-ray analysis (per part) 

o Ionizing radiation hardness assurance for each lot of parts 
o Pure Tin Mitigation Plan should meet the intent of GEIA-STD-0005-2 
o Counterfeit Parts Control Plans (reference SAE/AS5553), including control of parts 
obsolescence 
o Use of trusted sources 

o Commercial Off the Shelf (COTS)/Military Off the Shelf (MOTS) analysis/screening 

• EEE Parts procurement processes. 

o Vendor controls 

• The process for traceability and reporting of non-conformances should be defined in the Provider’s 
Non-conformance Plan. 

• EEE parts controlling specifications. 

• Parts assurance actions, including audits. 

• ESD Implementation Plan should meet the intent of ANSI/ESD S20.20. 

• Ionizing Radiation Control Plan that defines the test regime necessary to meet the environment. 

For on-orbit, this environment is specified in SSP 30512, Space Station Ionizing Radiation Design 
Environment. 


7.2.3 EEE Parts Management References 


Document Number 

Revision 

Title 

AS5553 


Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, 
and Disposition 


7.3 Mechanical Systems 
7.3.1 Mechanisms Subsystem 

Mechanisms are components and systems in which mechanical parts move relative to one another in 
order to provide some desired function on the spacecraft. Correct operation of the mechanism 
subsystem is required to ensure crew safety and mission success. 

The mechanism subsystem should employ designs which can be readily submitted to engineering 
analyses, while conforming to standard aerospace industry practices. The designs should utilize 
materials having mechanical properties that are well characterized for the intended service environments 
and design conditions. Likewise, all sub-components used in the design of mechanisms should have 
well understood and predictable performance in the intended service environments and design limits. 
These component items may include, but are not limited to, switches, bearings, motors, dampers, 
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clutches, torque limiters, lubricants, springs, and valves (including use in fluids and propulsion systems). 
For reusable and multi-mission hardware, these criteria are applicable throughout the service life of the 
mechanism. 

The best practices for this design and verification process and its associated documentation can be found 
in the relevant NASA standard, described below: 

• NASA-STD-5017, Design and Development Requirements for Mechanisms. Section 4.7, Fastener 
Retention and Section 4.8.9, Preload Bolt Criteria may be excluded, as the best practices for 
structural fasteners are contained within other NASA documentation. NASA-STD-5017 provides 
an excellent set of guidelines for the design and development of any aerospace mechanism. Much 
of the guidance specified within this standard has been derived from lessons learned throughout 
the NASA agency and across multiple flight programs. 

1 3.1 A Mechanisms Subsystems T echnical Products 

The Commercial Provider should provide design documentation to substantiate that all vehicle 
mechanisms have been adequately designed and verified, and demonstrate that they meet the intent of 
NASA-STD-5017. An analysis/review of the following design documentation will determine the 
adequacy of mechanism design standards: 

• Design drawings and specifications that fully describe the mechanism subsystem and components, 
as well as their proper integration into the flight vehicle. 

• Detailed engineering analysis of each mechanism subsystem, including a complete summary of 
mechanism torque/force margins where applicable, and also the margins of safety for each 
mechanism sub-component within the allowable mechanism rigging tolerances. 

• A full description of any computational models and methods used in the analysis, a description of 
the assumptions used to facilitate the modeling, as well as the testing which supports the 
assumptions within these models. 

• Test plans, results, and reports, to include but not limited to, qualification testing, acceptance 
testing, design life and cycle testing, and environmental testing. 

• An analysis of the criticality of each mechanism on the spacecraft with regards to its implication 
for crew safety. 

7 .3 . 1 .2 Mechanisms Subsystems T echnical Assessment 

A review of the mechanism design and verification documents will place emphasis on the following 
areas: 

• Mechanism design, performance, integrity, and operability for all mission phases, including pre- 
mission integrated testing, and post-mission recovery and vehicle safing. 

• Validation that Commercial Provider verification tests adhere to “test like you fly” philosophy. 

• Review of component, subsystem, and system requirements traceability from the vendor to the 
primary Commercial Provider. 

• Review of acceptance and qualification data (test plans, procedures, and reports) to verify CTS, 
including refurbished or re-flown products, meets performance specifications, demonstrates 
acceptable quality and workmanship, and is ready to be committed to flight. Review and 
assessment of subsystems and unit qualification and acceptance data will determine if a 
Commercial Provider’s standards meet the intent of SMC-S-016, Test Requirements for Launch, 
Upper-Stage, and Space Vehicles. 
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7.3.2 Pyrotechnics Subsystem 

7.3.2. 1 Pyrotechnics Subsystem Technical Products 

The “one time, every time” single use nature of pyrotechnic devices and the criticality of their associated 
functions require that a confidence be instilled through thorough documentation, review, and test of the 
component lot build parts and processes. 

Typically, documentation that substantiates that the individual pyrotechnic components and the 
pyrotechnic systems have been adequately designed, manufactured, and tested to demonstrate 
compliance with the intent of this requirement using a documented, accepted standard (e.g., JSC 
62809D) will be generated. Documentation provided should include: 

• Concept of operation and design detail of each pyrotechnic system, including layouts, 
identification of components, interfaces/interconnect detail, and identification of fault tolerance 
within each system. 

• Worst-case predicted natural and induced environments for each device/system. 

• Design specification and source control or vendor control drawing for each device. 

• Baseline review and production review documentation for each device (i.e., Phase I and Phase II 
review data per JSC 62809D). 

• Development test reports with accompanying technical data. 

• Margin test reports with accompanying technical data. 

• Qualification test plans and reports with accompanying technical data. 

• Analyses supporting qualification of each device and system. 

• Lot acceptance data information and data package (i.e., Phase III review data per JSC 62809D). 

• Age life test plans and reports with accompanying technical data. 

1 3.2.2 Pyrotechnics Subsystem Technical Assessment 

Review and analysis of the pyrotechnic subsystem design and verification process will determine if a 
Commercial Provider’s pyrotechnic standards address the requirements in and meet the intent of JSC 
62809D, Human-Rated Spacecraft Pyrotechnic Specification. 

A review of the submitted documentation will place emphasis on the following areas: 

• Mission criticality. 

• Applicability of the component to its intended system function. 

• Component and piece parts traceability up to and including powders. 

• Testing to demonstrate margin. 

• Detailed analysis and testing to verify the component’s ability to properly function after exposure 
to natural and induced environments. 

• Component phase reviews of critical systems as defined within JSC 62809. 

• Evaluation of the failure tolerance of each pyrotechnic subsystem design to verify single fault 
tolerance for fails to operate failure modes. If not completely fault tolerant, an evaluation of data 
that demonstrates that design sensitivities are understood and failure modes mitigated. 

• Review of lot acceptance data, which will occur on a recurring basis for every production lot, to 
verify: 

o Each lot is of the same design and construction, fabricated in one unchanging and essentially 
continuous manufacturing process, with traceability maintained on each device and piece 
part/material. 


Commercial Crew Program 


Page 43 of 86 


Crew Transportation Technical Standards 
and Design Evaluation Criteria 


CCT-STD-1 140 
Revision: B-l 


o Only one lot of each explosive or pyrotechnic material is used in a lot of explosively loaded 
components or devices. 

o Successful performance of non-destructive lot acceptance tests on 100% of each production lot 
of devices. 

o Successful performance of destructive lot acceptance testing conducted after completion of 
non-destructive tests on a randomly selected sample of the production. The destructive lot 
acceptance testing includes subjection of the components to specified thermal and dynamic 
environments prior to performance test. 

• Review of qualification reports and data for each pyrotechnic device and system. The review will 
verify that testing has utilized test hardware of the same configuration and manufactured under the 
same production process as the flight hardware, and that hardware properly functions after 
exposure to the worst case natural and induced environments anticipated during its operational life. 

• Evaluation of auto ignition temperature testing and analysis for the explosive materials selected to 
verify that they will not auto ignite when subjected to 50 °F above the maximum predicted thermal 
exposure for which the device is designed. 

• Evaluation of pyrotechnic and explosive materials seal designs to verify that loaded components 
are sealed to a leak rate not greater than 1 x 10-6 cc/second of helium when measured at one 
atmosphere differential pressure. 

• Evaluation of threaded parts to ensure appropriate engagement and captive features with an 
expectation that all parts are positively locked. 

• Evaluation of the design of pressure actuated devices to verify that components exposed to 
operating pressure are capable of withstanding an internal static proof pressure of 1 .2 times the 
maximum operating pressure without permanent deformation or leakage, and an internal pressure 
of 1.5 times the maximum operating pressure without structural failure (burst). 

• Evaluation of the design of pressure actuated devices to ensure they are capable of withstanding 
internal pressures generated in operation with the movable part restrained in its initial position and 
without rupture or the release of shrapnel, debris, or hot gases that could compromise crew safety 
or mission success. 

• Evaluation of the compatibility of materials used in devices to verify that all materials are 
compatible with each other to the extent that no reaction occurs that might adversely affect the 
component or system performance or safety. 

• Evaluation of each pyrotechnic system design to verify that the designs preclude incorrect 
installation and assembly. 

• Evaluation of margin test results on pyrotechnic component interfaces, component performance 
and, as applicable, subsystem performance. 

• Evaluation of Commercial Provider’s proposed age life evaluation methodology to verify that 
testing will be conducted at specific intervals to demonstrate that performance characteristics 
continue to meet lot acceptance criteria without significant degradation. 

• Evaluation of the Commercial Provider’s pyrotechnic device configuration control, which should 
be unique for its pyrotechnic devices and should be established and maintained for the design, 
manufacturing processes, materials, inspection, acceptance, and qualification of all pyrotechnic 
devices. 
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7.3.3 Purge, Vent, Drain Subsystems 

7.3.3. 1 Purge, Vent, Drain Subsystem Technical Products 

In support of design validation, the following products will be used to substantiate that the purge, vent, 
drain (PVD) systems have been adequately designed, assembled, tested, serviced, and verified: 

• Purge and vent products, 
o Vehicle purge 

- Thermal/humidity control analysis 

- Hazardous Gas Detection Plan 

- Cavity inerting analysis 

o Vehicle cavity and PVD system venting analysis 

7. 3. 3. 2 Purge, Vent, Drain Subsystem Technical Assessment 

Evaluation of the PVDs systems documentation products will focus on establishing confidence in the 
products, hardware design, and processes. Confidence will be established by assessing the provided 
documentation products against Government and industry standards, lessons learned, and best practices 
where they exist and are relevant to the PVD systems under assessment. 

Assessments of PVD systems will place emphasis on the following: 

• Evaluation of the vehicle conditioning/purge ground system and concept of operations to verify the 
expected operation and requirements are met in accordance with the vehicle thermal/humidity 
design analysis, the Hazardous Gas Detection Plan, the cavity inerting analysis, and the vehicle 
cavity and PVD system venting analysis. 

• Assurance that the PVD system is designed to optimize a safe environment for the crew and 
ground personnel. 


7.3.4 Purge, Vent, Drain Subsystem References 


Document Number 

Revision 

Title 

SP-8060 


Compartment Venting, NASA Space Vehicle Design Criteria 

NASA-STD-5001 


Structural Design and Test Factors of Safety for Spacecraft 
Hardware 


7.4 Structures 

Structures are components and assemblies designed to sustain loads or pressures, provide stiffness and 
stability, or provide support or containment. Internal components are not considered primary structures 
if their failure would not result in a critical or catastrophic hazard. 

Flight hardware structure must maintain structural integrity during the service life of the spacecraft and 
launch vehicle, including damage tolerance capability and resistance to effects of aging on the hardware, 
as applicable. The design loads are determined by the integrated system loads analysis or analysis of 
subsystem flight or ground events, and are defined in the Loads Control Plan. 

The launch vehicle and spacecraft structural subsystems should employ designs that are amenable to 
engineering analyses by current state-of-the-art methods and conforming to standard aerospace industry 
practices. More specifically, the designs are assumed to use materials having mechanical properties that 
are well characterized for the intended service environments and all design conditions. For reusable and 
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multi-mission hardware, these criteria are applicable throughout the service life and all of the missions. 
Repaired or refurbished structures must meet the design and verification standards for new hardware. 

The best practices for this design and verification process and its associated documentation can be found 
in the relevant NASA standards, described below: 

• Use JSC 65828, Structural Design Requirements and Factors of Safety for Space Flight Hardware 
for primary structure, other than windows. 

• To mitigate the risk of catastrophic structural failure due to the presence and growth of flaws or 
damage throughout the service life, use NASA-STD-5019, Fracture Control Requirements for 
Space Flight Hardware for fracture control. 

• For design and verification of all liquid propellant engines, use NASA-STD-5012. The intent of 
NASA-STD-5012 was for liquid propellant rocket engines with thrust greater than 6000 lbs based 
on lessons learned from engines in higher thrust classes; therefore, the requirement specified in 
NASA-STD-5012 will require tailoring for liquid propulsion engine systems with less than 6000 
lbs of thrust. Simplification may include relaxing requirements, such as the required number of 
structural qualification engines and/or tests. Structural factors of safety for these smaller 
propulsion systems are provided in JSC 65828, along with some recommended tailoring of NASA- 
STD-5012. 

• For design and verification of glass or ceramic structural components, including windows, use 
NASA-STD-5018, Strength Design and Verification Criteria for Glass, Ceramics, and Windows in 
Human Space Flight Applications. 

• Design and verification best practices for structural fasteners are addressed in NASA-STD-5020, 
Requirements for Threaded Fastening Systems in Spaceflight Hardware. 

A Commercial Provider may choose existing standards or maintain their own technical standards for 
structural design and verification, and may propose this substitution subject to NASA CCP approval. 
Technical standards are not intended to address every contingency; therefore, design factors may be 
tailored to reflect the rigor applied to understanding typical uncertainties in the design or performance of 
the structural subsystem, including predicted loads and environments, predicted structural response, load 
path simplicity, material properties, manufacturing or maintenance variability, and damage tolerance 
capabilities. 

7.4.1 Structures Subsystem Technical Products 

A comprehensive SVP (as described in JSC 65828) documenting the full structural analysis, test, and 
assessment program provides the basis for successful design validation. 

NASA expects to review the SVP at all design and engineering milestones. The initial delivery of the 
SVP should occur early in the design phase, before more than 40% of the drawings are released. The 
fidelity at this first review should be detailed enough to define the structural verification approach, 
including planned development testing. 

The SVP must be maintained and updated, because the hardware design and the design data will evolve 
as the loads, mass properties, temperatures, and other environments are verified. The SVP should be 
updated prior to the final design review to support these evolutions and to update the structural 
verification approach, as needed. 
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In support of design validation, the Commercial Provider should prepare documentation that 
substantiates that the structure has been adequately designed and verified to meet the intent of standards 
described herein. 

The documentation should include: 

• An SVP (as described in JSC 65828). 

• Glass and Ceramics Verification Plan (as described in NASA-STD-5018) that outlines how 
structural glass and ceramics will be verified. 

• Design drawings that fully describe the subsystem and components and their assembly into the 
flight vehicle. 

• Detailed stress analysis, including a complete summary of the minimum margin of safety for each 
structural part. 

• A full description of the numerical models and methods used in the analysis and the tests that 
validate those models. 

• Test plans, results, and reports, including structural and damage tolerant certifications of 
composite/bonded structures by building block testing. 

• Test plans, results, and reports describing the verification results for glass and ceramics. 

• A Fracture Control Plan (FCP) and Fracture Control Summary Report (FCSR) as outlined in 
Section 8.1 of this document. 

7.4.2 Structures Subsystem Technical Assessment 

NASA’s review of the structural design and verification documents will place emphasis on the following 
areas: 

• Primary structure design functionality and integrity for all mission phases. 

• Validation that Commercial Provider verification tests adhere to “test like you fly” philosophy. 

• Review of component, subsystem, and system requirements traceability from the vendor to the 
primary Commercial Provider. 

7.4.3 Thermal Protection System 

7.4.3. 1 Thermal Protection Systems Technical Products 

The fundamental purpose of the spacecraft’s Thermal Protection System (TPS) is to protect the vehicle 
from the ascent and reentry environments and maintain structure temperatures within specified limits. 
The TPS presents catastrophic hazards and will contain elements that cannot be practically designed 
with any level of failure tolerance. 

JSC 65827, Thermal Protection System Design Standard for Spacecraft provides the best practices for 
the design and verification of the TPS, and is the approved standard for addressing the absence of TPS 
failure tolerance. Thus, documentation must be provided that substantiates that the TPS has been 
adequately tested and/or analyzed to meet the intent of JSC 65827. It is recognized that Commercial 
Providers may choose existing standards or maintain their own technical standards for TPS design, 
analysis, and test under the condition that the detailed intent of JSC 65827 is met. 

To the extent specified in JSC 65827, the following documents should also be applied to the TPS: 

• For structural design and verification of the TPS, use JSC 65828, Structural Design Requirements 
and Factors of Safety for Space Flight Hardware, or equivalent. 
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• For fracture control of the TPS, use NASA-STD-5019, Fracture Control Requirements for 
Spacecraft , or equivalent. 

• For M&P associated with the TPS, use NASA-STD-6016, Standard Materials and Processes 
Requirements for Spacecraft, or equivalent. 

Specific Commercial Provider provided products that should be developed in order to demonstrate flight 
certification of the TPS include, but are not limited to, the following: 

• TPS Certification Plan. 

• Requirements and description document. 

• Risk Management Plan. 

• Subsystem/component specifications. 

• Materials Properties Plan and report, including material allowable. 

• Qualification test plans and reports. 

• Thermal and structural analysis reports, including margin policy and model validation reports. 

• Damage tolerance assessment, including Micro Meteoroid Orbital Debris (MMOD). 

• Reliability Assurance Plan and analysis reports. 

• Quality Assurance Plan, data, and documentation. 

• Acceptance data package. 

7.4. 3. 2 Thermal Protection Systems Technical Assessment 

TPS certification is primarily implemented through a verification and validation program applied to the 
TPS design through the development and qualification program, and applied to the TPS hardware 
through an acceptance program. TPS certification requires not only that the TPS satisfy its allocated 
functional and interface requirements at all levels, but also that TPS operational environments are 
understood for all mission phases and the TPS response to those environments is understood and 
predictable. An evaluation of the submitted TPS certification documentation will place emphasis on the 
following areas: 

• Verification of functionality, design, and integrity for all mission phases. 

• Detailed thermal/structural analysis, including a fully substantiated margin policy and analytical 
model validation evidence. 

• Test data: 

o Aerothermal testing at coupon and element (as applicable) levels to demonstrate performance 
in the predicted environment and potential failure modes, 
o Material property testing and results. 

o Structural and thermal/structural testing at coupon, element, sub-component and 
component/vehicle levels. 

• Component, subsystem, and system requirements traceability and knowledge and verification of 
environments. 


7.4.4 Structures Subsystem References 

Reference documents are listed in the documents and standards described above. Not all of the 
following documents are in every standard discussed in this section of CCT-STD-1 140. 


Document Number 


Revision 


Title 
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ANSI/AIAA S-080- 
1998 


Space Systems - Metallic Pressure Vessels, Pressurized 
Structures, and Pressure Components , September 13, 1999 

ANSI/AIAA S-081A- 
2006 


Space Systems - Composite Overwrapped Pressure Vessels 
(COPVs), July 24, 2006 

ASTM C1368 


Standard Test Method for Determination of Slow Crack Growth 
Parameters of Advanced Ceramics by constant Stress-Rate 
Flexural Testing at Ambient Temperature 

ASTM C1421-01b 


Standard Test Methods for Determination of Fracture Toughness 
of Advanced Ceramics at Ambient Temperature 

ASTM 0576 


Standard Test Method for Determination of Slow Crack Growth 
Parameters of Advanced Ceramics by Constant Stress Flexural 
Testing (Stress Rupture) at Ambient Temperature 

JSC 28918 


EVA Design Requirements and Considerations 

JSC 65827 

Rev. A 

Thermal Protection System Design Standard for Spacecraft 

JSC 65828 

Rev. B-l 

Structural Design Requirements and Factors of Safety for Space 
Flight Hardware 

JSC 65829 

Rev. A 

Loads and Structural Dynamics Requirements for Space Flight 
Hardware 

JSC 65831 


Fracture Control Standard for Spacecraft 

MIL-HDBK-60 


Threaded Fasteners-Tightening to Proper Tension 

NASA-STD-5012 

Baseline 

Strength and Life Assessment Requirements for Liquid Fueled 
Space Propulsion System Engines 

NASA-STD-5001 


Structured Design and Test Factors of Safety for Spacecraft 
Hardware 

NASA-STD-5017 


Design and Development Requirements for Mechanisms 

NASA-STD-5018 

Baseline 

Strength Design and Verification Criteria for Glass, Ceramics, 
and Windows in Human Spaceflight Applications 

NASA-STD-5019 


Fracture Control Requirements for Space Flight Hardware 

NASA-STD-5020 

Baseline 

Requirements for Threaded Fastening Systems in Spaceflight 
Hardware 

NASA-STD-6008 


NASA Fastener Procurement, Receiving Inspection, and Storage 
Practices for Space Flight Hardware 

NASA-STD-6016 


Standard Materials and Processes Requirements for Spacecraft 

NASA-STD-7001 


Payload Vibroacoustic Test Criteria 

NASA-TM-X-73305 


Astronautic Structures Manual 

NPR 8705.4 


Risk Classification for NASA Payloads 

SSP 50808 


ISS to Commercial Orbital Transportation Services Interface 
Requirements Document 


7.5 Fluid Systems 

The launch vehicle, spacecraft, and crew systems design may include liquid and gaseous fluid systems 
that utilize, control, or supply fluids. Fluids systems may include, but are not limited to, water, oxygen, 
cryogenic systems, storables, hydraulic fluids, pressurization fluids (including helium and nitrogen), 
thermal conditioning, and environmental control fluids. Any and all associated fluid storage, lines, 
fittings, valves, and other fluid components are considered part of the fluid systems. The design, 
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assembly, test, and certification of all fluid systems must be adequately documented and must be 
available for review throughout all stages of the fluids system development life-cycle. Proper design 
and integration of fluid systems is essential to ensure crew safety and mission success. 

Many sections of this document and the CTS requirements document reference technical products that 
compliment fluids system design. These products not only apply at the integrated vehicle-level, but are 
also apphcable at the subsystem-level. These products are not repeated here, but will be evaluated as 
critical to fluid systems, and this section must be augmented with those other technical products to be 
considered complete (e.g., hazard analysis). 

7.5.1 Fluids Subsystem T echnical Products 

In support of design validation, the following products will be used to substantiate that the fluid systems 
have been adequately designed, assembled, tested, serviced, and verified: 

• Systems design analysis for each subsystem, including but not limited to: 

o Design drawings and specifications that fully describe the subsystem and components, as well 
as their integration into the flight vehicle. 

o Fluid subsystems mission operation plans, including emergency/contingency operations, 
o Summary of verification test, analyses, and controls for fluids whose leakage is hazardous, 
o Engineering analysis of each subsystem showing margins, including but not limited to: 

- Pressure budget analysis and subsystem performance analyses, addressing nominal 
conditions, tolerance effects, and failure effects. 

. Pressure and thermal control analysis 

- Composite Overwrapped Pressure Vessel (COPV) and pressure vessel design. 

- Flow induced vibration analysis. 

• Flow test plans and reports 

- Fluid line design (combined pressure/thermal/mechanical load analysis). 

- Fatigue analysis, non-hazardous leak before burst (NHFBB), and /or safe life analysis. 

- Transient pressure analysis for design and operational impacts. 

- Consumables management analysis. 

• Mission assumptions 

• Usage plans 
Allowable leakage. 

Relief mechanisms. 

o Material analysis and fluid compatibility. 

- Oxygen compatibility assessment 

• Material uses 

• Processes 

- Materials exposed to hazardous fluids will be evaluated or tested for compatibility (as 
referenced in NASA-STD-6016) 

• Acceptance and qualification test plans and methods, 
o Analysis/inspection reports 

o Demonstration test results 
o Test procedures results and pass/fail criteria 

• Integrated fluid system testing results, including but not limited to: 
o Integrated software/avionics and fluid system testing. 

• Requirements verification report. 
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• Fabrication Process Control Plan. 

• Inspection Plan, including nondestructive evaluation (NDE), and inspector certification program. 

• Fluid servicing and ground operating procedures. 

• Contamination Control Plan (as referenced in NASA-STD-6016). 

• Fluid use and procurement specification. 

7.5.2 Fluid Subsystem Technical Assessment 

Evaluation of the fluids systems documentation products will focus on establishing confidence in the 
products, hardware design, and processes. Confidence will be established by assessing the provided 
documentation products against Government and industry standards, lessons learned, and best practices 
where they exist and are relevant to the fluid systems under assessment. 

Assessments of fluid systems will place emphasis on the following: 

• Evaluation of fluid system related design and hazard analysis, reliability analysis, separation of 
critical redundant systems assessments, plans, and operations to determine that integrated 
components and systems will operate as designed and will not cause injury to the crew or damage 
to the system. 

• Evaluation of models, simulation data, and reports to assess whether models and simulations used 
in the design and certification of fluid systems have been properly validated, utilized, and are 
configuration controlled. Review and analysis of the modeling and analysis methodology will 
determine if a Commercial Provider’s standards meet the intent of JSC 65829, Loads and 
Structural Dynamics Requirements for Space Flight Hardware. 

• Evaluation of Inspection Plan and inspection certification program to ensure appropriate inspection 
milestones are planned. 

• Review of fluid component design products to verify that the design requirements are met. 

Review and analysis of the component design will determine if a Commercial Provider’s standards 
meet the intent of NASA-STD-5017, Design and Development Requirements for Mechanisms. 

• Evaluation of pressure vessel and COPV analysis to verify that design requirements are met. 
Review and analysis of the design and verification process will determine if a Commercial 
Provider’s standards meet the intent of JSC 65828, Structural Design Requirements and Factors of 
Safety for Space Flight Hardware ; AIAA S-080, Space Systems -Metallic Pressure Vessels, 
Pressurized Structures, and Pressure Components ; and AIAA S-081A, Space Systems Composite 
Overwrapped Pressure Vessels. 

• Evaluation of NHLBB pressure component design to verify that design requirements are met. 
Review and analysis of the component design will determine if a Commercial Provider’s standards 
meet the intent of NASA-STD-5019, Fracture Control Requirements for Space Flight Hardware. 

• Review of acceptance and qualification data (test plans, procedures, and reports) to verify that the 
CTS (including refurbished or re-flown products) meets performance specifications, demonstrates 
acceptable quality and workmanship, and is ready to be committed to flight. Review and 
assessment of subsystems and unit qualification and acceptance data will determine if a 
Commercial Provider’s standards meet the intent of SMC-S-016, Test Requirements for Launch, 
Upper-Stage, and Space Vehicles. 

• Review of fluid servicing and ground operating procedures to verify that fluid system integrity is 
maintained. Review and analysis of the system ground and flight design will determine if a 
Commercial Provider’s standards meet the intent of NASA-STD-6016. 
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• Evaluation of systems consumables analysis and loading procedures to ensure adequate margin in 
accordance with Nominal Mission Plan analysis documents, including contingency and emergency 
scenarios as developed by the CCP. 


7.5.3 Flow-Induced Vibration (FIV) for Flexhoses and Bellows 

The occurrence of flow-induced vibrations in convoluted metal bellows and flexhoses can result in a 
catastrophic structural fatigue failure. Grazing flow across the convolutes may result in vortex 
formation and shedding from the tips of the convolutions. When the frequency of this vortex shedding 
coincides with one of the natural longitudinal resonant frequencies of the bellows or flexhose structure, 
then a strong bellows flow induced vibration (“lock-in”) can exist. Therefore, all CTS flexhoses and 
bellows must be analyzed for the existence of FIV over their operating flow range +/-10% in accordance 
with MSFC-DWG-20M02540, Assessment of Flexible Lines for Flow-Induced Vibration or an approved 
alternate standard with the following exceptions: 

• Metal bellows and flexhoses with full flow liners that preclude FIV 

• Metal bellows and flexhoses with steady-state flow less than one second duration 

• Metal bellows and flexhoses which experience an operating flow environment that is different 
(atypical flow) than the FIV phenomena described in MSFC-DWG-20M02540 and also beyond 
the capability of MSFC-DWG-20M02540 to predict. However, an alternative analysis technique 
should be developed as described later on in this section. 

The following, along with Figure 7. 5. 3-1, outlines the process for design acceptability to minimize the 
likelihood of a catastrophic failure of bellows and flexhoses. 

• The primary objective is to eliminate FIV through design. This is accomplished when the 
analysis per MSFC-DWG-20M02540 shows that FIV does not exist in the operating flow range 
+/- 10 %. 

• When the MSFC-DWG-20M02540 analysis predicts FIV and redesign is not achievable the 
following must occur: 

a) Incorporation of additional design robustness such as integration of flow liners. 

b) Performance of a resonant flow test to show an acceptable life in accordance with MSFC- 
SPEC-626, Test Control Document for Assessment of Flexible Lines for Flow Induced 
Vibration or an approved alternate standard. 

i) The first part of the resonant flow test performs a resonance search to determine if flow 
coupling occurs and if so, at what flowrate and frequency. The design is acceptable if 
coupling is shown not to occur. This outcome is due to conservatism associated with the 
MSFC-DWG-20M02540 analysis for predicting FIV. 

ii) The second part of the resonant flow test is implemented when coupling is detected 
during the resonant search test above, and consists of dwelling at the most severe 
resonant condition until the number of cycles equivalent to four times the operational life 
have been accumulated at the resonance condition. The design is acceptable if the 
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bellows or flexhose survives this flow test (i.e., shows no indication of fluid leakage or 
detrimental damage). 

The following applies only to ground systems and equipment bellows and flexhoses, whose failure due 
to FIV does not result in a situation that jeopardizes the safety of personnel or cause damage/degradation 
of flight hardware during test operation or ground processing. When FIV is predicted in the MSFC- 
DWG-20M02540 analysis for these ground systems and equipment bellows and flexhoses, and redesign 
is not achievable, the following must occur to achieve design acceptability: 

• Performance of a fatigue life analysis in accordance with MSFC-DWG-20M02540. The design 
is acceptable when the analysis shows a theoretical infinite life and when the maximum 
operating flow velocity through the flexible line is limited in accordance with MSFC-DWG- 
20M02540. 

• Performance of a resonant flow test in accordance with MSFC-SPEC-626 when a fatigue life 
analysis predicts a finite life. This resonant flow test consists of dwelling at the most severe 
resonant condition until the number of cycles equivalent to four times the operational life have 
been accumulated at the resonance condition. The design is acceptable if the bellows or flexhose 
survives this flow test (i.e., shows no indication of fluid leakage or detrimental damage). 

An evaluation should be made in the design process for each bellows and flexhose to determine if the 
MSFC-DWG-20M02540 is applicable or not. For those metal bellows and flexhoses which experience 
an operating flow excitation environment that is different than the grazing flow environment described 
by MSFC-DWG-20M02540, or beyond the capability of MSFC-DWG-20M02540 to predict, then an 
alternative analysis technique must be used to determine if any FIV occurs over the operating flow range 
+/- 1 0%. This different flow excitation environment is called “atypical flow”. The alternative analysis 
technique and assumptions used must be shown to be conservative and valid through an appropriate test 
program. 

Examples that may cause atypical flow are as follows: 

1. Strong back flow swirl from a turbopump located just downstream of a bellows that alters the 
flow across the convolutes. 

2. Partial flowliners where several of the bellows convolutes are not protected by the partial 
flowliner. 

3. A bellows where the inside diameter of the convolute roots is greater than the inside diameter 
of the smooth wall just upstream of the convolutes (i.e the design has convolutes recessed from 
the main flow field). 


Evaluation of the fluids systems documentation products will focus on establishing confidence in the 
products, hardware design, and processes. Confidence will be established by assessing the provided 
documentation products against Government and industry standards, lessons learned, and best practices 
where they exist and are relevant to the fluid systems under assessment. 
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Figure 7.5.3-1: Design Acceptability Flow Chart 


Assessments of Flow-Induced Vibration (FIV) for Flexhoses and Bellows fluid systems will place 
emphasis on the following: 

• Evaluation of flexhose and bellows hazard analysis to determine that components and systems 
will not cause injury to the crew or damage to flight hardware. 

• Review of flexhose and bellows design products to verify that the design requirements are met. 

• Evaluation of flexhose and bellows operating range FIV prediction analysis and fatigue life 
analysis to verify that design requirements are met. Fatigue life analysis may only be applied to 
those ground systems and equipment bellows and flexhoses, whose failure due to FIV does not 
result in a situation that jeopardizes the safety of personnel or cause damage/degradation of flight 
hardware during test operation or ground processing. 

• Evaluation of resonant flow test results to verify that design requirements are met. 

• Review of flexhose and bellows analysis, test procedures, and results will determine if a 
Commercial Provider’s standards meet the intent of MSFC-DWG-20M02540, Assessment of 
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Flexible Lines for Flow-Induced Vibration and MSFC-SPEC-626, Test Control Document for 
Assessment of Flexible Lines for Flow Induced Vibration. 


7.5.4 Fluid Systems References 


Document Number 

Revision 

Title 

SAE-AS-5440 

Rev. A 

Hydraulic Systems, Military Aircraft, Design and Installation 
Requirements for 


7.6 Propulsion Systems 

Launch vehicle propulsion systems (liquid, solid, or hybrid propellants) include boost stage, upper stage, 
in-space, and auxiliary propulsion systems. These systems may contain propellant tanks, propellant 
feed, pressurization, thrust vectoring, avionics, and data collection and monitoring systems. Propulsion 
systems require rigorous design, development, test, and evaluation (DDT&E) programs due to the 
inherent complexity and tight controls levied by extreme functional and performance targets necessary 
for ensuring crew safety and mission success. It should also be understood that due to the various types 
of propulsion systems, the various degrees of complexity of propulsion systems and the heritage of the 
specific propulsion system technology, there is no succinct method or set of predefined standards for 
propulsion system certification. 

Human-rating a given propulsion system cannot be completely addressed independently from the 
integrated vehicle architecture. Integration of systems across interfaces is key to understanding how a 
system could fail. Understanding these hazards and their potential propagation paths allows mitigations, 
such as fault avoidance (design out), design margins, redundancy, caution and warning devices, and/or 
special procedures to minimize flight risk. 

7.6.1 Propulsion Subsystem Technical Products 

Due to the variations in design implementation paths and risk management, it is necessary to invoke a 
comprehensive strategy that encompasses a wide range of engineering disciplines and practices to 
ensure the flight worthiness of propulsion systems for manned space vehicles. The propulsion system 
DDT&E process must be adequately documented and must be available for review throughout all stages 
of the propulsion system life-cycle. 

In this document, many of the transportation certification requirements sections reference technical 
products that compliment propulsion system design. These products not only apply at the integrated 
vehicle-level, but are also applicable at the propulsion subsystem and critical components. 
Correspondingly, these products, listed in Sections 4.0 through 9.0, do not need to be repeated here, but 
will be evaluated as critical to propulsion systems, and this section must be augmented with those other 
technical products to be considered complete. 

In further support of design validation, the following products are typically used to substantiate the 
propulsion system has been adequately designed and verified: 

• Functional and performance analysis reports with supporting verification reports/data (e.g., results 
from Water Hammer Analysis Model(s), system power balance model, motor ballistics analysis, 
propulsion system dynamics models, induced environments, component-level tests, qualification 
testing, etc.). 
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• Propulsion system concept of operations (i.e., integrated system test and checkout, loading 
operations, timings and hardware operational sequence pre-launch, ignition, mainstage operation, 
shutdown, abort, and recovery). 

7.6.2 Propulsion Subsystem Technical Assessment 

Evaluation criteria will establish confidence in the propulsion systems products and processes by 
assessing the provided documentation products against Government and industry standards, lessons 
learned, and best practices where they exist and are relevant to the propulsion systems under assessment. 
The intent is to provide confidence that the design processes and operating procedures are 
commensurate with accepted standards and meet initial quality expectations for human space flight. 

Assessment of propulsion systems will place emphasis on the following: 

• Tank slosh damping characteristics are understood through well-anchored slosh analysis, typically 
through flight or ground test, and are consistent with control system stability analysis. 

• Evaluation of models, simulation data, and reports to assess whether models and simulations used 
in the design and certification of propulsion systems have been properly validated, utilized, and are 
configuration controlled. Examples include engine performance, ballistics, dynamic thrust vector 
error, thrust offset error, structural margins, thermal balance, plume impingement, water hammer, 
propellant slosh, and pogo. Analytical methodology and approach is significant in providing 
confidence, although it is preferable to have statistically relevant samples of test or flight data via a 
robust ground test program. Review and analysis of the modeling and analysis methodology will 
determine if a Commercial Provider’s standards meet the intent of JSC 65829, Loads and 
Structural Dynamics Requirements for Space Flight Hardware. 

• Evaluation of the propulsion system structural design, verification process, and associated 
documentation will determine if the Commercial Provider’s standards meet the intent of NASA- 
STD-5012, Strength and Life Assessment Requirements for Liquid Fueled Space Propulsion 
System Engines', JSC 65828, Structured Design Requirements and Factors of Safety for Space 
Flight Hardware', and NASA-STD-5019, Fracture Control Requirements for Spacecraft. 

• Evaluation of propulsion system and component design, and hazard analysis, reliability analysis, 
separation of critical redundant systems assessments, plans, and operations to determine that 
integrated components and systems will operate as designed and will not cause injury to the crew 
or damage to the system. 

• Review of acceptance and qualification data (test plans, procedures, and reports) to verify that the 
CTS (including refurbished or re-flown products) meets performance specifications, demonstrates 
acceptable quality and workmanship, and is ready to be committed to flight. Review and 
assessment of subsystems and unit qualification and acceptance data will determine if a 
Commercial Provider’s standards meet the intent of SMC-S-016, Test Requirements for Launch, 
Upper-Stage, and Space Vehicles. 

• Review of materials and process control systems to ensure consistent performance and proper 
functionality of the propulsion system and its components; special emphasis will be focused on 
solid rocket motors. Review of material and process control system to determine if the 
Commercial Provider’s standards meet the intent of NASA-STD-6016. 

• Evaluation of integrated propulsion system test documentation to assure complex phenomenon will 
be revealed that could possibly remain uncovered prior to flight. Examples include engine-to- 
engine coupling, component activation dynamics, and engine coupling with unexpected gas/vapor 
pockets. 
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• Evaluation of propulsion systems and engines for stability margin to ensure that propulsion 
performance does not degrade and catastrophic loss of the engine/vehicle will not occur over the 
propulsion system operating range. Examples include chug, thrust oscillations, pump cavitation, 
and combustion instability. 

• Evaluation of high speed rotating machinery, including identification and quantification of high- 
risk rotordynamic frequencies. 

7.6.3 Propulsion Subsystem References 

The following list is intended to provide additional references that NASA has traditionally used and that 
may help to communicate the standards against which the Commercial Provider’s processes will be 
assessed. 


Document Number 

Revision 

Title 

ASME Y 14.5M-2009 


Dimensioning and Tolerancing 

CPIA Publication 655, 
Jan 1997 


Guidelines for Combustion Stability Specifications and 
Verification Procedures for Liquid Propellant Rocket Engines 

MIL-DTL-38999 


General Specification for Connectors, Electrical Circular, 
Miniature, High Density, Quick Disconnect (Bayonet, Threaded 
and Breech Coupling), Environment Resistant, Removable for 
Crimp and Hermetic Solder Contacts 

MSFC-HDBK-505 

Rev. B 

Structural Strength Program Requirements 

MSFC-SPEC-164 

Rev. C 

Specification for Cleanliness of Components for Use in Oxygen, 
Fuel, and Pneumatic Systems 

MSFC-STD-3535 

Baseline 

Standard for Propellants and Pressurants Used for Test and Test 
Support Activities at SSC and MSFC 

NASA SP-106 


The Dynamic Behavior of Liquids 

NASA-STD-5001 

Rev. A 

Structural Design and Test Factors of Safety for Spacecraft 
Hardware 

NPR 8705.2B 

Rev. B 

NASA Human-Rating Requirements for Space Systems 

SAE-AS-1098 


Fitting End, Flared Tube, for Seed Ring, Standard Dimensions 
for, Design Standard 

SWRI Publication by 
Dodge (2000) 


The New Dynamic Behavior of Liquids in Moving Containers 


7.7 Trailing Deployable Aerodynamic Decelerator 

7.7.1 Trailing Deployable Aerodynamic Decelerator (TDAD) Technical Products 

A primary requirement for manned spacecraft is to provide safe entry, landing, and recovery on Earth 
for crew returning from LEO destinations. 

Documentation must substantiate that the deceleration system has been adequately designed, 
manufactured, and verified to demonstrate compliance with the intent of this requirement using 
documented, accepted standards, and design guides, such as NWC TP 6575, Parachute Recovery System 
Design Manual (Knacke), and JSSG-2010-12, Crew Systems Deployable Aerodynamic Decelerator 
(DAD) Systems Handbook. JSC 65985, Requirements for Human Space Flight for the Trailing 
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Deployable Aerodynamic Decelerator is the guiding document that defines design, test, and verification 
methodology for TDAD systems. 

Various documented technical standards exist in the TDAD design industry, the adequacies of which are 
subject to review. As such, the Commercial Provider should provide the following products during the 
flight certification process to ensure the TDAD has been sufficiently designed and verified: 

• Assembly and detailed drawings, drawing tree, and CAD models. 

• Concept of operations document, including timing sequences, system geometry, operational uses, 
and capabilities, as well as its integration with other components and/or subsystems, for the entire 
life-cycle and each mission phase of the system. 

• Interface control documents. 

• Design analysis reports (i.e., stress analysis reports, design models, simulations, and analysis). 

• Mass properties report comprised of mass values, as well as growth allowance allocations, for all 
system components. 

• Safety documents to include fault tree analysis, Probabilistic Risk Assessment results, hazard 
analysis, FMEA/Critical Items List (CIL), and reliability and maintainability (R&M) report. 

• V&V document defining the plan for (including type), and documenting the results of, V&V 
activities. 

• Qualification and acceptance procedures, including incoming materials lot acceptance. 

• Certification Plan. 

• Critical manufacturing processes. 

• Ground safety analysis report. 

• Sustaining Engineering Plan. 

• Materials identification and usage list (MIUL). 

• Test configuration documents. 

• Post-flight test (closure) reports. 

7.7.2 TDAD Technical Assessment 

Evaluation criteria for submitted documentation, standards, and processes will emphasize the following 
areas in order to determine whether the Commercial Provider’s standards meet the intent of JSC 65985, 
Requirements for Human Space Flight for the Trailing Deployable Aerodynamic Decelerator 

• Overall system function and integrity, to include rate of descent. 

• Seam and joint testing reports. 

• Test descriptions for any static or dynamic testing (i.e., “test like you fly”). 

• Component, subsystem, and system requirements traceability. 

• Knowledge and verification of environments. 

• Design factors of safety and de-rating factors, as directed in NWC TP 6575, Parachute Recovery 
System Design Manual. 

• Modeling derivations and assumptions and trajectory and stress analyses to include wake effects 
on parachute performance and summary of margins of safety. 

• Load dispersions for nominal and off-nominal mission cases. 

• Safety and reliability approaches and mitigation plans for failure tolerance and failure propagation 
of each DAD subsystem design to verify single-fault tolerance (loss of crew) and satisfactory 
propagation methods. 
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• Testing configuration and number of runs for full-scale system tests (nominal and off-nominal, 
documenting how close the configuration is to flight), material lots testing, and margin testing. 


7 . 7.3 TDAD References 


Document Number 

Revision 

Title 

ADS-TR-61-579 


Performance of and Design Criteria for Deployable Aero 
Decelerators 

ARM-10 


Apollo Technical Manual - Reliability 

ASTM D6193 


Standard Practice for Stitches and Seams 

JPR 8080.5 


JSC Design and Procedural Standards 

JSSG-2010-12 


Crew Systems Deployable Aerodynamic Decelerator (DAD) 
Systems Handbook 

MIL-H-7195 


General Specification for Parachute Hardware 

MIL-STD-129 


Marking for Shipment and Storage 

NASA-STD-3001 Vol. 
1-2 


Space Flight Human System Standards 

NASA-STD-5005C 


Standard for the Design and Fabrication of Ground Support 
Equipment 

NASA-STD-5019 


Fracture Control Requirements for Space Flight Hardware 

NASA-STD-6016 


Standard Materials and Processes Requirements for Spacecraft 

NPR 6000.1 


Requirements for Packaging, Handling, and Transportation for 
Aeronautical and Space Systems, Equipment, and Associated 
Components 

NPR 8705.2 


NASA Human-Rating Requirements for Space Systems 
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8.0 Materials, Processes, and Fracture Control 

8.1 Fracture Control 

8.1.1 Fracture Control Technical Products 

It is NASA policy that fracture control be imposed on all human-rated space flight hardware to ensure 
safety by mitigating the risk of catastrophic failure due to the presence of flaws. 

It is expected that an FCP and an FCSR consistent with the intent of NASA-STD-5019, Fracture 
Control Requirements for Spacecraft will be generated. 

8.1.2 Fracture Control T echnical Assessment 

In order to substantiate that the Commercial Provider has met the intent of NASA-STD-5019, the FCP 
will be evaluated to assure that specific fracture control methodology and procedures are in place for the 
prevention of catastrophic failure associated with propagation of cracks, flaws, or damage during 
fabrication, testing, handling, transportation, and operational life. The plan should also include a 
description of how the prime contractor or vehicle owner imposes any applicable fracture control 
requirements onto subcontractors and suppliers. 

It is expected that the FCSR will provide the following information as described in NASA-STD-5019, 
Section 6.3: 

• Sufficient information to ensure certification that fracture control requirements have been met. 

• Sufficient hardware descriptions, including sketches and figures, to convey a clear understanding 
of the hardware elements and their functions. 

• Supporting detailed documentation. 

• An accounting of all parts and their disposition for fracture control. 

• For failsafe parts, identification of NDE and inspection plans, Material Usage Agreements 
(MUAs), discrepancies, or deviations from design that affect fracture control and flaw detections 
and their resolutions. 

• Identification of any flaws that may be accepted on risk by the Program authority. 


8.1.3 Fracture Control References 


Document Number 

Revision 

Title 

SSP 30558 


Fracture Control Requirements for Space Station 

NASA-HNBK-5010 
Volume 1 


Fracture Control Implementation Handbook for Space Flight 
Hardware other than Composite or Bonded Parts 

NASA-HNBK-5010 
Volume 2 


Fracture Control Implementation Handbook for Space Flight 
Hardware Composite or Bonded Parts 

JSC 25863B 


Fracture Control Plan for JSC Space-Flight Hardware 
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8.2 Materials and Processes 

8.2.1 Materials and Processes Technical Products 

In order to validate the flight readiness of any hardware or system, there are minimum requirements for 
materials and processes (M&P) that must be met. Included are M&P requirements used in design, 
fabrication, and testing of flight components for both manned and unmanned spacecraft systems. 

All hardware is covered by M&P requirements, including vendor-designed, off-the-shelf, and vendor- 
furnished items. The prime contractor is responsible to flow down these requirements to their 
subcontractors and lowest component-level suppliers. To prevent damage or contamination of flight 
hardware, also covered are interfacing ground support equipment, hardware processing equipment, 
hardware packaging, and hardware shipment. 

The Commercial Provider will be responsible for meeting the intent of NASA-STD-6016 requirements. 
This may be accomplished through the development of an M&P Selection, Control, and Implementation 
Plan, or by constructing a matrix of applicable and non-applicable paragraphs. 

It is recommended that within the construct of the Implementation Plan or applicability matrix, that the 
following subject matter be specifically addressed: 

• NDE Plan. 

• Contamination Control Plan. 

• Finishes Plan. 

• Design allowables. 

• MUAs. 

• Materials and Processes Identification and Usage List (MIUL). 

8.2.2 Materials and Processes Technical Assessment 

Many of the system sections of this document identify specific subsets of the products and technical 
assessments expected for M&P. Although these subsets are of especial interest to the specific system, it 
is noted that the M&P products and technical assessments identified in this section are expected for all 
hardware systems, regardless of whether they are specifically identified under those systems or not. 

A review of the submitted M&P documentation and plans will focus on the following elements to 
substantiate that the Commercial Provider’s standards for M&P meet the intent of NASA-STD-6016: 

• Assurance that the M&P used are selected by considering the worst-case operational requirements 
for the particular application and the design engineering properties of the candidate materials. 

• Identification of applicable standards and specifications, including Government, industry, and 
company generated. 

• Documentation of the methods used to control compliance of requirements by subcontractors and 
vendors. 

• Methodology for coordinating, approving, and tracking all engineering drawings, engineering 
orders, and other documents that establish or modify materials and/or processes usage. 

8.3 Natural Environments 

“Natural environments,” as the term is used here, refers to the environments that are not the result of 
intended human activity or intervention. They consist of a variety of external environmental factors 
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(most of natural origin and a few of human origin) which impose restrictions or otherwise impact the 
development or operation of aerospace vehicles. Natural environment technical areas are generally 
grouped into the following classifications: 

a. Terrestrial environments at pre-launch, launch, abort, and normal and abort landing sites (e.g., 
winds, temperatures, pressures, surface roughness, sea state, etc.). 

b. Space environments (e.g., ionizing radiation, orbital debris, meteoroids, thermosphere density, 
plasma, solar, Earth, and lunar-emitted thermal radiation, etc.). 

c. Destination environments. 

These factors are outside the actual control of the Program, so the Program controls the risks and 
“definition” of these factors (i.e., the models, data sets, and descriptions) in order to maintain a uniform, 
consistent, and verifiable baseline for hardware development. NASA considers it important that the 
natural environment be maintained under good configuration management by the Program (i.e., the 
Commercial Provider, in this case). The intent is to keep a unified specification of the natural 
environments over which all flight elements can operate. 

8.3.1 Natural Environment Technical Products 

Natural environmental specifications are derived from the DRMs specific for a program and are 
designed to match the program operational, risk, and cost goals as much as possible. Coordination 
between environment specifications and the DRMs must be maintained. Note that these specifications 
are actually a support to the design process because the data and models specified are frequent inputs to 
the engineering analysis. Various approaches for documenting natural environments may be used, but 
the following basic elements of the product structure are typically needed: 

a. Top-Level Natural Environment Specification - This document defines the environmental 
parameter limits (maximum and minimum values, energy spectra or precise model inputs, 
assumptions, model options, etc., consistent with Program risk policy), to be used in the design and 
development of all Program flight elements. It is also used as a reference by ground support 
hardware, since GSE must support the operation of the flight hardware. 

b. Detail-Level Environment Specification - Typically, this is a compilation of the natural and 
derived environments (natural environments as modified by the flight hardware) and induced 
environments applicable at the box or vehicle zone-level. This information is needed in the design 
process and for subcontract specifications (where applicable). 

c. Applicability Matrices - These are detailed breakdowns of what environments apply to each 
hardware element or system. The matrix, at least at top-level, should address all mission phases, 
because environment specifications will change with each phase, and separation of active versus 
inactive hardware may also be needed. These may be included within detailed-level specification, 
if desired. 

d. Launch Commit and Operational Flight Rules - One or more documents that specify the 
environmental limits on launch, landing, and flight operations. These rely heavily upon the top- 
level specification, because the top-level specification defines the limits of the flight hardware 
capability; however, the technical data and models used there are generally not appropriate for the 
operational phase. The design phase is based largely on climatic data and statistical models, while 
real-time observations and forecast models are appropriate for operational support. 
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8.3.2 Natural Environment Technical Assessments 

Most environments must be addressed at multiple levels, depending upon the architecture. Thus, the 
process of identifying where an environment is a key driver and where it is just a routine input to the 
engineering process highlights the importance of the flow down from the top-level specification to the 
detailed-level specification. The key drivers may be handled by robust design, by accepting risk, or by 
operational mitigation and constraints. Pre-flight transportation and storage specifications are addressed 
by environment control, packaging, or environment monitoring to assure the flight hardware is not 
adversely affected. For all phases, one is looking for thoroughness in the approach to eliminate latent 
damage to inactive hardware, as well as complete coverage of all active phases. Thoroughness also 
implies accounting for the less prominent environment effects (i.e., spacecraft charging, ionizing 
radiation single event effects to the launch vehicle, orbital debris threats to exposed cables or 
instruments, etc.). 

In the development of the top-level design specifications, one is looking for widely recognized, peer 
reviewed models and limits derived from data sets with long periods of record and good quality, directly 
applicable data. Uncertainties should be defined wherever possible. Some useful models that meet 
these criteria are listed in the following section. Note that these models do not include margins, and they 
are generally not added so that margin is not doubled up with the engineering margins. 

Environment assessments for the Commercial Providers have an added complexity in that they must 
address environment-related ISS requirements from SSP 50808. Many Space Station environment 
specifications have not been updated, so they represent knowledge of the environment that is several 
decades old. Generally, these older specifications can be considered to “do the job,” but there are some 
exceptions and concerns. Ionizing radiation values in these older specifications are considered overly 
conservative for single event effects. The Providers should work carefully with both the CCP and the 
ISS Program Offices to assure a suitable resolution of these issues. 

8.3.3 Natural Environment Design References 

The following list includes documents and environment models that have been found to be particularly 
useful and suitable to support space flight hardware development activities. The models listed may 
NOT be appropriate for operational applications; operational models are selected based on different 
criteria. 


Document Number 

Revision 

Title 

AE9/AP9 


Trapped Energetic Electron and Proton Environments 
(NSSDC/SDC-A-R&S 76-06 and NSSDC WDC-A-R&S 91-24) 

CREME96 


Cosmic Ray Effects on Microelectronics, Single Event Upset 
Environments. Do not use for electrons. 

E. Normand & T.J. 
Baker, 1993 


Altitude and Latitude Variations in Avionics SEU and 
Atmospheric Neutron Flux 

IEEE Transactions On Nuclear Science, Vol. 40, No. 6, 
December 1993 

Edwards, Normand & 
Dyer, 2004 


Technical Standard for Atmospheric Radiation Single Event 
Effects (SEE) on Avionics Electronics 
0-7803-8697-3/04/S20.00 ©2004 IEEE 
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Document Number 

Revision 

Title 

Earth-GRAM 2010 


Global Reference Atmosphere Model (available from EV44, 
MSFC) 

Emission of Solar 
Protons 


Solar Proton Event, Galactic Cosmic Ray Environments, 
Geomagnetic Shielding 

International 

Geomagnetic 


Terrestrial Magnetic Field Reference Field 

International 
Reference Ionosphere 


Cold Low Earth Orbit Plasma Environments Ionosphere 

Jacchia-Bowman 

2008 

Thermosphere drag ( Available within Earth-GRAM 2010) 

King 1972 SPE Model 


Crew Dose for Exposure to Solar Particle Event, Not 
Recommended for Avionics Applications. 

Journal of Spacecraft and Rockets, 11, 401, 1974 

MEM 


Meteoroid Engineering Model (available from EV44, MSFC ) 

MSIS-86 


Atomic oxygen (available within Earth-GRAM 2010) 

MVWP 


Monthly Vector Wind Model (See NASA/TM 2008-215633) 

NASA/TM-2001- 

211221 


Guidelines for the Selection of Near-Earth Thermal Environment 
Parameters for Spacecraft Design 

NASA/TM-2008- 

215633 


Terrestrial Environment (Climatic) Criteria Guidelines for Use 
in Aerospace Vehicle Development, 2008 Revision 

O’Neill-Badhwar 
GCR Model 

2006 

O ’Neill, P.M., Badhwar - O ’Neill Galactic Cosmic Ray Model 
Update Based on Advanced Composition Explorer (ACE) 
Energy Spectra from 1997 to Present, Advances in Space 
Research, Vol. 37, pp 1727-1733, 2006 

ORDEM 3.0 


Orbital Debris Engineering Model from the JSC Orbital Debris 
Program Office 

Solar Irradiance 
Platform 


UV-EUV 


9.0 Software 

9.1 Flight and Ground Software 

9.1.1 Flight and Ground Software Technical Products 

A review of Commercial Provider documentation covering the requirements, design, implementation, 
test and verification, operation, and management of safety critical software products will be performed 
to ensure that they address the intent of appropriate NASA standards and specifications. Of interest are 
those items classified as ‘Class A’ according to the definition contained in Appendix E of NPR 7150.2A, 
specifically ground and flight software ‘developed and/or operated by or for NASA that is needed to 
perform a primary mission objective of human space flight and directly interacts with human space 
flight systems,’ and that has direct impacts on the health and safety of the crew. NASA will negotiate 
with each Commercial Provider to jointly identify the specific software products that fall into this 
category. 
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Documentation related to any software models or simulations whose results are used to make critical 
decisions regarding design, development, manufacturing, and ground or flight operations that may 
impact human safety or Program defined mission success criteria will also be reviewed. Of particular 
interest are the methods and procedures used for verification, validation, and quantification of 
uncertainty that is used to assess and certify the credibility of the model. 

Special emphasis will be placed on those software items that are determined to be of a safety critical 
nature. As part of a system-wide hazard analysis conducted on both flight and ground segments, 
specific components or subsystems that are able to cause, control, detect, or mitigate safety hazards are 
identified. For those hazards with potentially catastrophic consequences, such as loss of crew or loss of 
vehicle, any software products associated with those functions should be included in the system hazard 
analyses to the level where appropriate software and hardware controls and mitigations can be 
identified. The results of this study should outline the methods by which the design or testing of this 
software may be used to mitigate these possibilities by either preventing the hazardous behavior from 
occurring, reducing the likelihood of a catastrophic event from occurring, or minimizing the negative 
effects of a safety critical fault or failure. Additional information regarding the process for identifying 
and classifying safety critical software, as well as methods for performing a software safety analysis and 
creating a software safety report, may be found in NASA-STD-8719.13B, Software Safety Standard and 
NASA-GB-8719.13, Software Safety Guidebook. 

Also of interest to NASA is how the Commercial Provider will address the intent of appropriate 
requirements contained in the NASA Security of Information Technology Standard designed to 
adequately ensure that the confidentiality, integrity, and availability of critical software components. 

A thorough review of appropriate software security plans, policies, and procedures concerning the 
management of safety critical software components will be conducted to determine that sufficient 
security controls and protection are implemented. 

Specific documents to be examined include the full set of artifacts produced during the software life- 
cycle process as conducted in accordance with commonly accepted industry standards (e.g., DOD-STD- 
2167A, MIL-STD-498, IEEE J-STD-016, ISO 12207, etc.) and will normally include, but not be limited 
to, some or all of the following: 

• Software management plans. 

• Software security plans for development environment of Class A products. 

• Software development plans. 

• Software requirements specifications. 

• Software operations concept documents. 

• Software design documents. 

• Software product specifications. 

• Software interface design documents. 

• Software test plans. 

• Software test procedures. 

• Software test reports. 

• Software user’s manuals. 

• Software Safety Plan. 

• Software quality report. 
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9.1.2 Flight and Ground Software Technical Assessment 

A review of the software technical products will substantiate that the Commercial Provider software 
design processes meet the intent of NPR 7150.2A, NASA Software Engineering Requirements , for Class 
A software. 

Specific areas to be focused on during this review include how critical software components will be 
designed, developed, tested, managed, and used in the overall design and operation of the vehicle, and 
how those components will ensure a safe and habitable environment for the crew and support the 
detection and mitigation of any risks to their well being. These factors are the result of acquired 
knowledge and lessons learned from over fifty years of NASA human space flight experience and 
generally involve topics, such as: 

• Fault tolerance. 

• Failure detection, identification, and isolation or recovery. 

• Similar or dissimilar redundancy. 

• Autonomous operation of safety critical functions. 

• Manual override of automatic functions. 

• Extent of ground and crew visibility into system operation and performance. 

• Amount of crew involvement and interaction required. 

• Accurate and timely notifications of faults and anomalies. 

• Command authentication and validation, including response to inadvertent commanding. 

• Ground monitor and control of vehicle systems without crew involvement. 

• Maintaining vehicle control and crew environment during abort scenarios. 


9.1.3 Flight and Ground Software References 


Document Number 

Revision 

Title 

NPR 2810.1A 

Rev. A 

Security of Information Technology 

NPR 7150.2A 

Rev. A 

NASA Software Engineering Requirements 

NASA-STD-7009 


Standard for Models and Simulations 


Appendix A: Acronyms 


Acronyms 

Phrase 

ACE 

Advanced Composition Explorer 

CCP 

Commercial Crew Program 

CIL 

Critical Items List 

copy 

Composite Overwrapped Pressure Vessel 

COTS 

Commercial Off the Shelf 

CTS 

Crew Transportation System 

DDT&E 

Design, Development, Test, and Evaluation 

DRM 

Design Reference Mission 

EEE 

Electrical, Electronic, and Electromechanical 

EMC 

Electromagnetic Compatibility 
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Acronyms 

Phrase 

EMI 

Electromagnetic Interference 

ESD 

Electrostatic Discharge 

FAA 

Federal Aviation Administration 

FCP 

Fracture Control Plan 

FCSR 

Fracture Control Summary Report 

FMEA 

Failure Mode and Effects Analysis 

GCR 

Galactic Cosmic Radiation 

GN&C 

Guidance, Navigation, and Control 

GSE 

Ground Support Equipment 

HBM 

Human Body Model 

Hz 

Hertz 

IEEE 

Institute of Electrical and Electronic Engineers 

ISO 

International Standards Organization 

ISS 

International Space Station 

IV&V 

Independent Verification and Validation 

JSC 

Johnson Space Center 

KSC 

Kennedy Space Center 

LEO 

Low Earth Orbit 

M&P 

Materials and Processes 

MIUL 

Materials Identification and Usage List 

MMOD 

Micro Meteoroid Orbital Debris 

MOTS 

Military Off the Shelf 

MPS 

Main Propulsion System 

MUA 

Materials Usage Agreement 

NASA 

National Aeronautics and Space Administration 

NDE 

Nondestructive Evaluation 

NHLBB 

Non-Hazardous Leak Before Burst 

NPD 

NASA Policy Document 

NPR 

NASA Procedural Requirement 

p-Static 

Precipitation Static 

PVD 

Purge, Vent, Drain 

R&M 

Reliability and Maintainability 

RF 

Radio Frequency 

S&MA 

Safety and Mission Assurance 

SEE 

Single Event Effects 

SVP 

Structural Verification Plan 

TDAD 

Trailing Deployable Aerodynamic Decelerator 

TPS 

Thermal Protection System 
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Appendix B: 1100 Series Definitions 


Term 

Definition 

Abort 

The forced early return of the crew when failures or the existence of 
uncontrolled catastrophic hazards prevent continuation of the mission profile 
and a return is required for crew survival. 

Ambient Light 

Any surrounding light source (existing lighting conditions). This could be a 
combination of natural lighting (e.g., sunlight, moonlight) and any artificial 
light source provided. For example, in an office there would be ambient light 
sources of both the natural sunlight and the fluorescent lights above (general 
office lighting). 

Analysis 

A verification method utilizing techniques and tools, such as math models, prior 
test data, simulations, analytical assessments, etc. Analysis may be used in lieu 
of, or in addition to, other methods to ensure compliance to specification 
requirements. The selected techniques may include, but not be limited to, task 
analysis, engineering analysis, statistics and qualitative analysis, computer and 
hardware simulations, and analog modeling. Analysis may be used when it can 
be determined that rigorous and accurate analysis is possible, test is not cost 
effective, and verification by inspection is not adequate. 

Annunciate 

To provide a visual, tactile, or audible indication. 

Approach Ellipsoid 

A 4 x 2 x 2 km ellipsoid, centered at the ISS center of mass, with the long axis 
aligned with the V-Bar. 

Approach Initiation 

The approach initiation is the first rendezvous maneuver during a nominal 
approach that is targeted to bring the vehicle inside the ISS approach ellipsoid 
(AE). 

Ascent 

The period of time from initial motion away from the launch pad until orbit 
insertion during a nominal flight or ascent abort initiation during an abort. 

Ascent Abort 

An abort performed during ascent, where the crewed spacecraft is separated 
from the launch vehicle without the capability to achieve the desired orbit. The 
crew is safely returned to a landing site in a portion of the spacecraft nominally 
used for entry and landing/touchdown. 

Automated 

Automatic (as opposed to human) control of a system or operation. 

Autonomous 

Ability of a space system to perform operations independent from any ground- 
based systems. This includes no communication with, or real-time support 
from, mission control or other ground systems. 

Backout 

During mission execution, the coordinated cessation of a current activity or 
procedure and careful return to a known, safe state. 

Breakout 

Any action that interrupts the nominally planned free flight operations that are 
intended to place the spacecraft outside of a threatening location to the 
cooperative vehicle. This may be an automated or manually executed action. 
For the ISS, the area within which a vehicle poses a threat to ISS is called the 
Approach Ellipse. 

Cargo 

An item (or items) required to maintain the operability of the ISS and/or the 
health of its crew, and that must be launched and/or returned. 
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Catastrophic Event 

An event resulting in the death or permanent disability of a ground closeout or 
flight crewmember, or an event resulting in the unplanned loss/destruction of a 
major element of the CTS or ISS during the mission that could potentially result 
in the death or permanent disability of a flight crewmember. 

Catastrophic 

Hazard 

A condition that could result in the death or permanent disability of a ground 
closeout or flight crewmember, or in the unplanned loss/destruction of a major 
element of the CTS during the mission that could potentially result in the death 
or permanent disability of a flight crewmember. 

Command 

Directive to a processor or system to perform a particular action or function. 

Communications 

Coverage 

Communication coverage is defined as successful link availability for nominal 
ascent and entry trajectories. 

Communications 

Link 

A communication link is established, whereas the received commands and 
voice from the CVCC to the spacecraft and the transmitted health and status 
data, crew health and medical related data, voice, telemetry, and transmitted 
launch vehicle and spacecraft engineering data are received. 

Consumable 

Resource that is consumed in the course of conducting a given mission. 
Examples include propellant, power, habitability items (e.g., gaseous oxygen), 
and crew supplies. 

Continental U.S. 
Airport 

An airport within the continental United States capable of accommodating 
executive jet aircraft similar to the Gulfstream series aircraft. 

Contingency 

Provisioning for an event or circumstance that is possible but cannot be 
predicted with certainty. 

Contingency 
Spacecraft Crew 
Support (CSCS) 

CSCS is declared when the spacecraft crew takes shelter on the ISS because the 
spacecraft has been determined to be unsafe for reentry. In this case, a rescue 
mission is required to return the spacecraft crew safely. 

Crew 

Any human onboard the spacecraft after the hatch is closed for flight or onboard 
the spacecraft during flight. 

Crew 

Transportation 
System (CTS) 

The collection of all space-based and ground-based systems (encompassing 
hardware and software) used to conduct space missions or support activity in 
space, including, but not limited to, the integrated space vehicle, space-based 
communication and navigation systems, launch systems, and mission/launch 
control. 

Critical Decision 

Those technical decisions related to design, development, manufacturing, 
ground, or flight operations that may impact human safety or mission success, 
as measured by defined criteria. 

Critical Fault 

Any identified fault of software whose effect would result in a catastrophic 
event or abort. 

Critical Function 

Mission capabilities or system functions that, if lost, would result in a 
catastrophic event or an abort. 

Critical Hazard 

A condition that may cause a severe injury or occupational illness. 

Critical Software 

Any software component whose behavior or performance could lead to a 
catastrophic event or abort. This includes the flight software, as well as ground- 
control software. 

Critical 

Software/Firmware 

Software/Firmware that resides in a safety-critical system that is a potential 
hazard cause or contributor, supports a hazard control or mitigation, controls 
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safety-critical functions, or detects and reports 1) fault trends that indicate a 
potential hazard and/or 2) failures which lead to a hazardous condition. 

Critical (sub) System 

A (sub)system is assessed as critical if loss of overall (sub)system function, or 
improper performance of a (sub)system function, could result in a catastrophic 
event or abort. 

CTS Certification 

CTS certification is the documented authorization granted by the NASA 
Associate Administrator that allows the use of the CTS within its prescribed 
parameters for its defined reference missions. CTS certification is obtained 
prior to the first crewed flight (for flight elements) or operational use (for other 
systems). 

CTS Element 

One component part of the overall Crew Transportation System. For example, 
the spacecraft is an element of the CTS. 

Deconditioned 

“Deconditioned” defines a space crewmember whose physiological capabilities, 
including musculoskeletal, cardiopulmonary, and neurovestibular, have 
deteriorated as a result of exposure to micro-gravity and the space environment. 
It results in degraded crewmember performance for nominal and off-nominal 
mission tasks. 

Definitive Medical 
Care 

An inpatient medical care facility capable of comprehensive diagnosis and 
treatment of a crewmember's injuries or illness without outside assistance — 
capable of care of Category I, II, and III trauma patients. Usually a Level I 
trauma center, as defined by the American College of Surgeons. 

Demonstration 

A method of verification that consists of a qualitative determination of the 
properties of a test article. This qualitative determination is made through 
observation, with or without special test equipment or instrumentation, which 
verifies characteristics, such as human engineering features, services, access 
features, and transportability. Human-in-the-loop demonstration is performed 
for complex interfaces or operations that are difficult to verify through 
modeling analysis, such as physical accommodation for crew ingress and 
egress. Demonstration requirements are normally implemented within a test 
plan, operations plan, or test procedure. 

Docking 

Mating of two independently operating spacecraft or other systems in space 
using independent control of the two vehicles' flight paths and attitudes during 
contact and capture. Docking begins at the time of initial contact of the 
vehicles' docking mechanisms and concludes when full rigidization of the 
interface is achieved. 

Downrange Abort 
Exclusion Zone 

A geographical region of the North Atlantic Ocean to be avoided for water 
landings during ascent aborts for ISS missions due to rough seas and cold water 
temperatures. The region is depicted in Figure B-l. The St. John’s abort 
landing area includes the waters within 200 nmi range to St John’s International 
Airport (47° 37’ N, 52° 45’ W). The Shannon abort landing area includes the 
waters within 200 nmi range to Shannon International Airport (52° 42’ N, 8° 

55’ W). Note: The northern and southern bounds of the DAEZ in the ISS 
Mission DAEZ figure are notional, as these bounds are limited only by steering 
and cross-range performance along the ascent trajectory and are not formally 
constrained. 
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Downrange Abort 
Exclusion Zone 
Figure 
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Figure B-l Ascent Downrange Abort Exclusion Zone 

Emergency 

An unexpected event or events during a mission that requires immediate action 
to keep the crew alive or serious injury from occurring. 

Emergency Egress 

Capability for a crew to exit the vehicle and leave the hazardous situation or 
catastrophic event within the specified time. Flight crew emergency egress can 
be unassisted or assisted by ground personnel. 

Emergency 
Equipment and 
Systems 

Systems (ground or flight) that exist solely to prevent loss of life in the presence 
of imminent catastrophic conditions. Examples include fire suppression 
systems and extinguishers, emergency breathing devices, Personal Protective 
Equipment (PPE) and crew escape systems. Emergency systems are not 
considered a leg of failure tolerance for the nominal, operational equipment and 
systems, and do not serve as a design control to prevent the occurrence of a 
catastrophic condition. 

Emergency Medical 
Services 

Services required to provide the crewmembers with immediate medical care to 
prevent loss of life or aggravated physical or psychological conditions. 

End of Mission 

The planned landing time for the entire mission, including the nominal pre- 
flight agreed to docked mission duration. 

Entry 

The period of time that begins with the final commitment to enter the 
atmosphere from orbit or from an ascent abort, and ending when the velocity of 
the spacecraft is zero relative to the landing surface. 

Entry Interface 

The point in the entry phase where the spacecraft contacts the atmosphere 
(typically at a geodetic altitude of 400,000 feet), resulting in increased heating 
to the thermal protection system and remainder of the spacecraft exterior 
surfaces. 

External Launch 
Constraint 

Conditions outside the CTS provider's control, such as range weather 
constraints or faults with range or ISS assets, or weather constraints affecting 
abort rescue forces capabilities. Range weather examples include ability to 
visually monitor the initial phases of the launch for range safety, etc. Non- 
weather range constraints include range safety radar and telemetry systems 
availability, flight termination systems readiness, clearance of air, land, sea, etc. 

Failure 

Inability of a system, subsystem, component, or part to perform its required 
function within specified limits. 
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Failure Tolerance 

The ability to sustain a certain number of failures and still retain capability. A 
component, subsystem, or system that cannot sustain at least one failure is not 
considered to be failure tolerant. 

Fault 

An undesired system state and/or the immediate cause of failure (e.g., 
maladjustment, misalignment, defect, or other). The definition of the term 
“fault” envelopes the word “failure,” since faults include other undesired 
events, such as software anomalies and operational anomalies. Faults at a lower 
level could lead to failures at the higher subsystem or system level. 

Flight Configuration 

The arrangement, orientation and operational state of system elements and 
cargo, vehicle cabin layout, flight software mode, and crew complement, 
clothing and equipment in the applicable mission or ground phase necessary in 
verification to evaluate the attributes called out in the requirement. 

Flight Hardware 

All components and systems that comprise the internal and external portions of 
the spacecraft, launch vehicle, launch abort system, and crew worn equipment. 

Flight Operations 

All operations of the integrated space vehicle and the crew and ground teams 
supporting the integrated space vehicle from liftoff until landing. 

Flight Phase 

A particular phase or timeframe during a mission is referred to as a flight phase. 
The term “all flight phases” is defined as the following flight phases: pre- 
launch, ascent, onorbit free-flight, docked operations, deorbit/entry, landing, 
and post-landing. 

Flight 

Representative 

Description of a test-article used in verifications in which the attributes under 
evaluation are equivalent to the flight article. 

Example: Human-in-the-loop tests for spacecraft egress must use an equivalent 
cabin layout, seats and restraints, and hatch configuration and masses. However, 
the propulsion system does not need to be functional, as it is not under 
evaluation. 

Flight Rules 

Established redline limits for critical flight parameters. Each has pre-planned 
troubleshooting procedures with pre-approved decisions for expected 
troubleshooting results. 

Flight Systems 

Any equipment, system, subsystem or component that is part of the integrated 
space system. 

Flight Termination 

An emergency action taken by range safety when a vehicle violates established 
safety criteria for the protection of life and property. This action circumvents 
the vehicles’ normal control modes and ends its powered and/or controlled 
flight. 

Free Flight 
Operations 

Onorbit operations that occur when the spacecraft is not in contact with any part 
of the ISS. 

Ground Crew 

Operations personnel that assist the flight crew in entering the spacecraft, 
closing the hatch, performing leak checks, and working on the integrated space 
vehicle at the pad during launch operations. 

Ground Hardware 

All components and systems that reside on the ground in support of the mission, 
including the Commercial Vehicle Control Center, launch pad, ground support 
equipment, recovery equipment, facilities, and communications, network, and 
tracking equipment. 
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Ground Processing 

The work required to prepare the launch vehicle and spacecraft for mission 
from final assembly/integration/test through launch and resumes after landing 
for recovery of crew and cargo. 

Ground Support 
Equipment 

Any non-flight equipment, system(s), ground system(s), or devices specifically 
designed and developed for a direct physical or functional interface with flight 
hardware to support the execution of ground production or processing. The 
following are not considered to be GSE: 

• Tools designed for general use and not specifically for use on flight 
hardware. 

• Ground Support Systems that interface with GSE Facilities. 

Habitable 

The environment that is necessary to sustain the life of the crew and to allow 
the crew to perform their functions in an efficient manner. 

Hazard 

A state or a set of conditions, internal or external to a system, that has the 
potential to cause harm. 

Hazard Analysis 

The process of identifying hazards and their potential causal factors. 

Health and Status 
Data 

Data, including emergency, caution, and warning data, that can be analyzed or 
monitored describing the ability of the system or system components to meet 
their performance requirements. 

Human Error 

Either an action that is not intended or desired by the human or a failure on the 
part of the human to perform a prescribed action within specified limits of 
accuracy, sequence, or time that fails to produce the expected result and has led 
or has the potential to lead to an unwanted consequence. 

Human Error 
Analysis (HEA) 

A systematic approach used to evaluate human actions, identify potential 
human error, model human performance, and qualitatively characterize how 
human error affects a system. HEA provides an evaluation of human actions 
and error in an effort to generate system improvements that reduce the 
frequency of error and minimize the negative effects on the system. HEA is the 
first step in Human Risk Assessment and is often referred to as qualitative 
Human Risk Assessment. 

Human-in-the-Loop 

Evaluation 

Human-in-the-loop evaluations involve having human subjects, which include 
NASA crewmembers as a subset of the test subject population, perform 
identified tasks in a representative mockup, prototype, engineering, or flight 
unit. The fidelity of mockups used for human-in-the-loop evaluations may 
range from low-fidelity, minimal representation, to high-fidelity, complete 
physical and/or functional representation, relevant to the evaluation. Ideally, 
the fidelity of human-in-the-loop mockups and tests increases as designs mature 
for more comprehensive evaluations. Further information on human-in-the- 
loop evaluations throughout system design can be found in JSC 65995 CHSIP. 

Human- System 
Integration 

The process of integrating human operations into the system design through 
analysis, testing, and modeling of human performance, interface 
controls/displays, and human-automation interaction to improve safety, 
efficiency, and mission success. 

111 or Injured 

Refers to a crewmember whose physiological and/or psychological well-being 
and health has deteriorated as a result of an illness (e.g., appendicitis) or injury 
(e.g., trauma, toxic exposure) and requires medical capabilities exceeding those 
available on the ISS and transportation to ground-based definitive medical care. 
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111 or injured crewmember performance for nominal and off-nominal mission 
tasks will be degraded. 

Inspection 

A method of verification that determines conformance to requirements by the 
use of standard quality control methods to ensure compliance by review of 
drawings and data. This method is used wherever documents or data can be 
visually used to verify the physical characteristics of the product instead of the 
performance of the product. 

Integrated 

Operations 

All operations starting at 90 minutes prior to the ISS Approach Initiation and 
lasting until the vehicle leaves the ISS Approach Ellipsoid on a non-return 
trajectory. 

Integrated Space 
Vehicle 

The integrated space vehicle includes all flight elements physically connected 
for the phase of flight from post lift-off until spacecraft separation. 

Landing 

The final phase or region of flight consisting of transition from descent to an 
approach, touchdown, and coming to rest. 

Landing Site 

Supported Landing Sites: A fully supported site on a Continental U.S. land 
mass or waters directly extending from the coast with CTS recovery forces on 
station at the time of landing. The landing site zone extends through nominally 
expected dispersions from the landing site point. 

Designated Primary Landing Site - A supported landing site-intended for 
landing at the time of spacecraft undock. 

Alternate Landing Site - A supported landing site to which the spacecraft 
landing can be diverted in the event the deorbit burn is delayed. 

Unsupported Landing Sites: 

Emergency Landing - Any unsupported site (land or water) arrived at due to 
critical failures that force immediate return and preclude landing at a designated 
primary or alternate landing sites. 

Launch Commit 
Criteria 

Established redline limits for critical launch parameters. Each has pre-planned 
troubleshooting procedures with pre-approved decisions for expected 
troubleshooting results. 

Launch Opportunity 

The period of time during which the relative position of the launch site, the ISS 
orbital plane, and ISS phase angle permit the launch vehicle to insert the 
spacecraft into a rendezvous trajectory with the ISS (northerly launches only 
due to range constraints). The ISS is in-plane with the Eastern Range 
approximately every 23 hours and 36 minutes. 

Launch Probability 

The probability that the system will successfully complete a scheduled launch 
event. The launch opportunity will be considered scheduled at 24 hours prior to 
the opening of the launch window. 

Launch Vehicle 

The vehicle that contains the propulsion system necessary to deliver the energy 
required to insert the spacecraft into orbit. 

Life-Cycle 

The totality of a program or project extending from formulation through 
implementation, encompassing the elements of design, development, 
verification, production, operation, maintenance, support, and disposal. 

Loss of Crew 

Death or permanently debilitating injury to one or more crewmembers. 

Loss of Mission 

Loss of, or the inability to complete enough of, the primary mission objectives, 
such that a repeat mission must be flown. 
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Maintenance 

The function of keeping items or equipment in, or restoring them to, a specified 
operational condition. It includes servicing, test, inspection, 
adjustment/alignment, removal, replacement, access, assembly/disassembly, 
lubrication, operation, decontamination, installation, fault location, calibration, 
condition determination, repair, modification, overhaul, rebuilding, and 
reclamation. 

Manual Control 

The crew's ability to bypass automation in order to exert direct control over a 
space system or operation. For control of a spacecraft's flight path, manual 
control is the ability for the crew to affect any flight path within the capability 
of the flight control system. Similarly, for control of a spacecraft's attitude, 
manual control is the ability for the crew to affect any attitude within the 
capability of the flight/attitude control system. 

MCC-H Mission 
Authority 

• MCC-H has authority to make final decisions regarding spacecraft 
operations, including but not limited to Go/No-Go decisions and safety of 
flight and crew(s). 

• Beginning with either ISS integrated operations, or 30 minutes before the 
first required ISS configuration or crew activity in support of the spacecraft 
on rendezvous (e.g., ISS attitude maneuver, appendage configuration, 
USOS GPS configuration), whichever comes first. 

• Ending with either the end of ISS integrated operations, or when ISS is not 
required to maintain its configuration (e.g., ISS attitude, USOS GPS 
configuration, or appendages in a configuration) to support the spacecraft, 
whichever comes later. 

• Applies anytime the spacecraft free-drift trajectory, including dispersions, 
is predicted to enter the ISS AE within the next 24 hours. 

Mission 

The mission begins with entry of the crew into the spacecraft, includes delivery 
of the crew to/from ISS, and ends with successful delivery of the crew to NASA 
after landing. 

Mission Critical 

Item or function that must retain its operational capability to assure no mission 
failure (i.e., for mission success). 

Operations 

Personnel 

All persons supporting ground operations or flight operations functions of the 
CTS. Examples of these personnel are listed below: 

Persons responsible for the production, assembly/integration/test, validation, 
and maintenance of flight hardware, production facilities, launch site facilities, 
operations facilities, or ground support equipment (GSE). Persons involved 
with supporting or managing the launch countdown, crew training, or mission 
during flight. Persons involved in post-flight recovery. 

Orbit 

This flight phase starts just after final orbit insertion and ends at the completion 
of the first deorbit burn. 

Override 

To take precedence over system control functions. 

Pad Abort 

An abort performed where the crewed spacecraft is separated from the launch 
vehicle while the launch vehicle remains on the launch pad. As a result, the 
crewed spacecraft is safely transported to an area which is not susceptible to the 
dangers associated with the hazardous environment at the launch pad. 

Permanent 

Disability 

A non-fatal occupational injury or illness resulting in permanent impairment 
through loss of, or compromised use of, a critical part of the body, to include 


Commercial Crew Program 

Page 75 of 86 



Crew Transportation Technical Standards 
and Design Evaluation Criteria 


CCT-STD-1 140 
Revision: B-l 



major limbs (e.g., arm, leg), critical sensory organs (e.g., eye), critical life- 
supporting organs (e.g., heart, lungs, brain), and/or body parts controlling major 
motor functions (e.g., spine, neck). Therefore, permanent disability includes a 
non-fatal injury or occupational illness that permanently incapacitates a person 
to the extent that he or she cannot be rehabilitated to achieve gainful 
employment in their trained occupation and results in a medical discharge from 
duties or civilian equivalent. 

Portable Fire 
Suppression System 

A system comprised of one or more portable handheld fire extinguishers and 
access ports. These access ports allow the user to discharge fire suppressant 
into enclosed areas with potential ignition sources. See also 3.10.12.2 Use of 
Hazardous Chemicals. 

Post-Landing 

The mission phase beginning with the actual landing event when the vehicle has 
no horizontal or vertical motion relative to the surface and ending when the last 
crewmember is loaded on the aircraft for return to JSC. 

Proximity 

Operations 

The flight phase including all times during which the vehicle is in free flight 
beginning just prior to Approach Initiation (AI) execution and ending when the 
vehicle leaves the Approach Ellipsoid (AE). 

Quiescent Docked 
Operations 

The state of the CTS spacecraft while it is docked to the ISS with hatches open 
and ISS services, as called out in SSP 50808, connected and operational. From 
this state, the vehicle can support immediate ingress and transition into safe 
haven in the case of an emergency. 

Recovery 

The process of proceeding to a designated nominal landing site, and retrieving 
crew, flight crew equipment, cargo, and payloads after a planned nominal 
landing. 

Reliability 

The probability that a system of hardware, software, and human elements will 
function as intended over a specified period of time under specified 
environmental conditions. 

Rendezvous 

The flight phase of executing a series of onorbit maneuvers to move the 
spacecraft into the proximity of its target. This phase starts with orbit insertion 
and ends just prior to the approach initiation. 

Safe Haven 

A functional association of capabilities and environments that is initiated and 
activated in the event of a potentially life-threatening anomaly and allows 
human survival until rescue, the event ends, or repair can be affected. It is a 
location at a safe distance from or closed off from the life-threatening anomaly. 

Safety 

The absence from those conditions that can cause death, injury, occupational 
illness, damage to or loss of equipment or property, or damage to the 
environment. 

Safety Critical 

A condition, event, operation, process, function, equipment or system 
(including software and firmware) with potential for personnel injury or loss, 
or with potential for loss or damage to vehicles, equipment or facilities, loss or 
excessive degradation of the function of critical equipment, or which is 
necessary to control a hazard. 

Search and Rescue 

The process of locating the crew, proceeding to their position, and providing 
assistance. 

Software 

Computer instructions or data stored electronically. Systems software includes 
the operating system and all the utilities that enable the computer to function. 
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Applications software includes programs that do real work for users, such as 
word processors, spreadsheets, data management systems, and analysis tools. 
Software can be Commercial Off-The-Shelf (COTS), contractor developed, 
Government furnished, or combinations thereof. 

Spacecraft 

All system elements that are occupied by the crew during the space mission and 
provide life support functions for the crew. The crewed element includes all the 
subsystems that provide life support functions for the crew. 

Space System 

The collection of all space-based and ground-based systems (encompassing 
hardware and software) used to conduct space missions or support activity in 
space, including, but not limited to, the integrated space vehicle, space-based 
communication and navigation systems, launch systems, and mission/launch 
control. 

Stowage 

The accommodation of physical items in a safe and secure manner in the 
spacecraft. This does not imply that resources other than physical 
accommodations (e.g., power, thermal, etc.) are supplied. 

Subsystem 

A secondary or subordinate system within a system (such as the spacecraft) that 
performs a specific function or functions. Examples include electrical power, 
guidance and navigation, attitude control, telemetry, thermal control, 
propulsion, structures subsystems. A subsystem may consist of several 
components (hardware and software) and may include interconnection items 
such as cables or tubing and the support structure to which they are mounted. 

System 

The aggregate of the ground segment, flight segment, and workforce required 
for crew rescue and crew transport. 

Task Analysis 

Task analysis is an iterative human-centered design process through which user 
tasks are identified and analyzed. It involves 1) the identification of the tasks 
and subtasks involved in a process or system, and 2) analysis of those tasks 
(e.g., who performs them, what equipment is used, under what conditions, the 
priority of the task, dependence on other tasks). The focus is on the human and 
how they perform the task, rather than the system. Results can help determine 
the hardware or software that should be developed/used for a particular task, the 
ideal allocation of tasks to humans vs. automation, and the criticality of tasks, 
which drive design decisions. Further information on task analysis can be 
found in JSC 65995 CHSIP, Section 4.1. 

Test 

A method of verification in which technical means, such as the use of special 
equipment, instrumentation, simulation techniques, and the application of 
established principles and procedures, are used for the evaluation of 
components, subsystems, and systems to determine compliance with 
requirements. Test will be selected as the primary method when analytical 
techniques do not produce adequate results; failure modes exist, which could 
compromise personnel safety, adversely affect flight systems or payload 
operation, or result in a loss of mission objectives. The analysis of data derived 
from tests is an integral part of the test program and should not be confused 
with analysis as defined above. Tests will be used to determine quantitative 
compliance to requirements and produce quantitative results. 

Time-Critical Cargo 

Cargo that requires late stowage pre-launch (within 24 hours of launch) and 
early removal post-landing (within 1 hour of crew egress). 

Transport 

Launch of crew and cargo to and return from the ISS. 
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Validation 

Proof that the product accomplishes the intended purpose. May be determined 
by a combination of test, analysis, and demonstration. 

Verification 

Proof of compliance with a requirement or specifications based on a 
combination of test, analysis, demonstration, and inspection. 
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Appendix C: Guidance for Critical Models and Simulations 

C.l Scope 

Modeling and simulation activities are used widely across the engineering disciplines; therefore, 
modeling and simulation results must be communicated with accuracy and clarity. The focus of this 
memo is on critical models and simulations (M&S) and defining recommended practices for 
communicating results from these critical models and simulations. 

C.2 Applicability 

Modeling or simulation is accomplished for many reasons; however, a common thread with most 
modeling and simulation activities is risk mitigation. NASA missions tend to be unique or one-of-a- 
kind, requiring additional steps to offset the operational risks associated with the implementation of such 
systems. The determination of whether a model or simulation is categorized as “critical” should be based 
upon an assessment of the risk posed by the potential use of the M&S. Such M&S risk assessments 
consider (1) the consequences to human safety or mission success criteria if a decision proves incorrect, 
and (2) the degree to which M&S results influence a decision. The risk assessment of consequence and 
M&S results influence can be evaluated with many different techniques. A common assessment 
technique uses a risk assessment matrix (e.g., Figure C-l). 


M&S 

Results 

Influence 

5: Controlling 

(G) 

(Y) 



4: Significant 

(G) 

(Y) 

3: Moderate 

(G) 

(Y) 

(Y) 

(Y) 

2: Minor 

(G) 

(G) 

(Y) 

1: Negligible 

(G) 

(G) 

(G) 

(G) 


IV: Negligible 

III: Marginal 

II: Critical 

I: Catastrophic 

Decision Consequence 


Figure C-l: Sample M&S Risk Assessment Matrix 

Definitions for the influence and consequence scales in Figure C-l are provided in section C.3. For the 
above example, all M&S that fall within the red risk categories were defined as critical; however, some 
M&S originally identified as yellow may, after closer examination, fall within the red risk category. As 
the classification of risk is somewhat subjective, the risk matrix is best used to discuss the risks, rather 
than as a definitive result. Regardless of the method used, all M&S identified as critical to the decision 
should follow the communications protocol that follows. 

C.2 Communication 

Once critical M&S are identified, the next step is to ensure the information generated by that M&S is 
properly communicated to everyone involved in the decision making process, which has two main 
components: the results of the M&S-based analysis and the credibility associated with those results. 
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C.2.1 Results 

All critical M&S results should include the following information along with the analysis: 

• Results Estimate 

• Statement of Uncertainty 

• Caveats 

• An Understanding of the Associated Risks 
Results Estimate: 

The notion of a “best estimate of results” may be deceptively simple; however, it is critically important 
to never lose sight of the fact that all M&S results are estimates of a given system’s response (behavior), 
and not necessarily the exact response to expect. There is no generally applicable definition of “best 
estimate” and that the results presented need to be carefully examined to ensure that it meets the needs 
of the situation, which is similar to ensuring that the model of the system matches the system and 
problem. 

Questions to ask when presented with a best estimate of an M&S-based analysis include: 

• What definition of best estimate was assumed by the analyst? 

o Mean? Median? Mode? Maximum Likelihood? 
o Were higher-order statistical measures considered? 
o Were outliers removed? 

• Does everyone agree that this is the best definition for the problem at hand? 

Quantitative Statement of Uncertainty: 

As the results of an analysis are based on a model of the real system and its environment with 
concomitant assumptions, approximations, estimates, and other uncertainties, it is usually inappropriate 
and possibly misleading to present the outcome of an analysis as a single definitive result, at least 
without some qualification. Because of imperfections in models and data, models inherently contain 
uncertainties, which subsequently propagate into the results of a simulation analysis. Therefore, both the 
estimated results and the associated uncertainties in those results should be reported. 

Questions to be addressed include: 

• What are the magnitudes of the uncertainties in the results of this analysis? 

• Are the uncertainties understandable and reasonable? 

• How does the uncertainty influence the decision at hand? 

• How does the uncertainty influence the risk associated with the decision at hand? 

Caveats: 

For M&S-based analyses, a caveat is defined as follows: 

Modifying or cautionary information to consider when evaluating or interpreting the results of an M&S- 
based analysis. 

In a given M&S analysis, a caveat is information pertinent to the results presented that should at a 
minimum be noted, or should provide caution to the recipient (e.g., decision maker). Examples of 
possible caveats are: 

• Unachieved acceptance criteria. 
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• Violation of any assumptions of any model used. 

• Violation of the limits of operation. 

• Execution warning and error messages. 

• Unfavorable outcomes from the intended use and setup/execution assessments. 

• Waivers to any of the requirements in this standard. 

An Understanding of the Associated Risks: 

The risks associated with a given decision should be understood along with the influences of an M&S- 
based analysis on that decision. The acceptability of the risks of a particular course of action is assessed 
with respect to the consequences and likelihood of their occurrence (Figure C-2). 
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Figure C-2: Risk Assessment Matrix 

C.2.2 Credibility Assessment 

The second part of communicating information about critical M&S is the credibility assessment. There 
are no pass/fail criteria for M&S analysis credibility assessments. The intent is to provide an accurate 
and consistent analytical assessment of the M&S that is used to start a dialogue between the people 
doing the M&S and the decision- makers. It is also important to note that the credibility assessment is 
performed on the M&S analysis results, NOT on the people performing the analysis. The credibility 
assessment addresses eight factors that contribute to the credibility of M&S results: 

• Verification 

• Validation 

• Input pedigree 

• Results uncertainty quantification 

• Results robustness 

• Use history 

• M&S process, product, and data management 

• Qualifications of applicable personnel (People Qualifications) 
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Figure C-3 is a 1-page example format used to document an M&S credibility assessment. Definitions of 
the each of the eight categories, as well as a description of the scaling, are provided in section C.4. It is 
important to note that in the early design phases of a program or project, these factors may have low 
credibility assessments. As the program or project matures, along with it the M&S and input data, it is 
expected that the credibility assessment will correspondingly increase. It is expected that 
program/project management in association with the technical authority define and change the 
expectations for credibility throughout the lifecycle. The credibility assessment is meant to 
communicate a snapshot of the state of the M&S at the time the analysis was performed. However, it is 
commonplace at major reviews to have criteria against which to measure progress. Section C.5 provides 
some examples of the types of credibility assessments ratings expected at various phases/milestones in 
the lifecycle of a program or project. The assessment of credibility can also be enhanced by a technical 
review of the M&S effort. This can encompass the development and use of the M&S spanning at least 
the first five factors of credibility and potentially all eight. 
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Figure C-3: Sample Credibility Assessment Template 


M&S Development 

Verification - Supporting Information 

Validation - Supporting Information 

M&S Operations 

Input Pedigree - Supporting Information 
Results Uncertainty - Supporting Information 
Results Robustness - Supporting Information 

Supporting Evidence 

Use History - Supporting Information 

M&S Process, Product, and Data Management - Supporting Information 
People Qualifications - Supporting Information 


C.3 Sample M&S Risk Assessment Matrix Definitions 
Decision Consequence 

Consequence classifications assess the impact of a decision that proves incorrect. The number of 
Consequence levels and most of the language is taken from NPR 8000.4. The last item in each class 
description has been added to address impact upon mission success criteria, such as science objectives. 
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a. Class IV - Negligible. A poor decision may result in the need for minor first aid treatment but would 
not adversely affect personal safety or health; damage to facilities, equipment, or flight hardware more 
than normal wear and tear level; internal schedule slip that does not impact internal development 
milestones; cost overrun less than 2 percent of planned cost; all mission success criteria met, with at 
worst minor performance degradations. 

b. Class III - Moderate. A poor decision may result in minor injury or occupational illness, or minor 
property damage to facilities, systems, equipment, or flight hardware; internal schedule slip that does not 
impact launch date; cost overrun between 2 percent and not exceeding 15 percent of planned cost; a few 
(up to 25 percent) mission success criteria not met due to performance degradations. 

c. Class II - Critical. A poor decision may result in severe injury or occupational illness, or major 
property damage to facilities, systems, equipment, or flight hardware; schedule slippage causing launch 
date to be missed; cost overrun between 15 percent and not exceeding 50 percent of planned; many 
(between 25 percent and 75 percent) mission success criteria not met due to substantial performance 
degradations. 

d. Class I - Catastrophic. A poor decision may result in death or permanently disabling injury, facility 
destruction on the ground, or loss of crew, major systems, or vehicle during the mission; schedule 
slippage causing launch window to be missed; cost overrun greater than 50 percent of planned cost; 
most (more than 75 percent) mission success criteria not met due to severe performance degradations. 

M&S Influence 

Influence estimates the degree to which M&S results influence program/project engineering decisions. 
(Engineering decisions include determination of whether design requirements have been verified.) 

a. Influence 1 - Negligible. Results from the M&S are a negligible factor in engineering decisions. This 
includes research on M&S methods, and M&S used in research projects that have no direct bearing on 
program/project decisions. 

b. Influence 2 - Minor. M&S results are only a minor factor in any program/project decisions. Ample 
flight or test data for the real system in the real environment are available, and M&S results are used just 
as supplementary information. 

c. Influence 3 - Moderate. M&S results are at most a moderate factor in any program/project decisions. 
Limited flight or test data for the real system in the real environment are available, but ample flight or 
test data for similar systems in similar environments are available. 

c. Influence 4 - Significant. M&S results are a significant factor in some program/project decisions, but 
not the sole factor for any program/project decisions. Ample flight or test data for similar systems in 
similar environments are available. 

d. Influence 5 - Controlling. M&S results are the controlling factor in some program/project decisions. 
Neither flight nor test data are available for essential aspects of the system and/or the environment. 
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C.4 M&S Credibility Assessment Template Definitions 

The M&S credibility assessment consists of eight factors grouped into three categories, as shown below 
and in Figure 3. A five-level assessment of credibility is defined for each factor. 

M&S Development 

Verification: Were the models implemented correctly, and what was the numerical error/uncertainty? 
Validation: Did the M&S results compare favorably to the referent data, and how close is the referent to 
the real-world system? 

M&S Operations 

Input Pedigree: How confident are we of the current input data? 

Results Uncertainty: What is the uncertainty in the current M&S results? 

Results Robustness: How thoroughly are the sensitivities of the current M&S results known 

Supporting Evidence 

Use History: Have the current M&S been used successfully before? 

M&S Management: How well managed were the M&S processes, products, and data? 

People Qualifications: How qucdified were the personnel? 


Figure C-4 is the scale definition used in the sample Credibility Assessment Template in Figure C-3. 
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Numerical 
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Nan- 
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& numerical 
analysis. 
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known for 
most 
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particular M&S. 
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Figure C-4: Sample Credibility Assessment Scale 
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C.4 Example Credibility Assessment Ratings for Various Milestones 
Concept Development Phase Example 
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